I spent a good chunk of today re-jiggering the look and functionality of the comment system here on my blog. Using the WordPress Thread Comment plugin readers and myself can respond directly to other comments complete with e-mail notification. Gravatar is a globally recognizable avatar plugin giving everyone who posts their thoughts to my blog the option to show an icon representing themselves. If you don’t have a Gravatar account head on over to Gravatar.com to register your e-mail address. Finally, I installed WP-Chunk which simply minimizes long URLs posted in comments and prevents them from breaking my layout.

But most importantly I re-designed the look of comments making them easier to read. I hope this will encourage more discussion on my blog and if you have any feedback, please leave a comment!

P.S. If you need a smattering of comment designs for inspiration check out the comment design showcase at SmileyCat.com.

Adobe released it’s Air product today making it official and peeling off the cliche` beta title. Adobe Air allows developers to build desktop applications using web technologies like HTML for structure, CSS for presentation, and JavaScript for behavior. Flash and Flex, Adobe’s own web technologies, are also rolled up in the mix. Professional authoring tools like Flash CS3 and Dreamweaver CS3 saw updates today to allow development within the popular tools. Aptana also offers a free plugin for their open-source development tool Aptana Studio.

I have been playing with Air apps for the last couple of months while the product was still in beta. There are a lot of clever applications that are more like widgets then conventional full-blown desktop programs. For example, the Adobe sample app PixelPerfect was a simple ruler overlay letting you measure anything on your screen. This little tool comes in handy for web development where there aren’t any rulers on the side or measuring tools like in Photoshop. Powerhouse auction site eBay created their own Air app that banishes the concept of refreshing the page so bidders can watch their auctions in real time. But perhaps the biggest crowd of Air apps belongs to Twitter clients. Thwirl, Spaz, Tweetr, and Snitter are just a handful.

I thought John Ballinger had let his Twitter client, Tweetr, go to pasture without an update since the end of November. With each new Air beta release more functionality would break edging me towards Jonathan Snook’s Snitter. But alas, Tweetr is alive again with version 3.0 launching today to coincide with the official Air release. I’m happy as a clam to have my favorite Twitter client back and to see so many great ideas that have seemingly sprung out of Air.

I finally finished kingkool68.com this weekend. The purpose of the site is to aggregate all of my activity on the web into one single stream, commonly referred to as a lifestream. To mash all of my RSS feeds of activity together I used SimpleLife, a WordPress adaption of the SimplePie PHP script. For the front end I used jQuery, a JavaScript library, as well as standard HTML and CSS.

Most lifestreams I saw didn’t include a way to for end users to filter out certain items, so I built one into my lifestream application. Using the power of CSS selectors built in to jQuery, I wrote a function to grab the list items with a certain class and then toggle a fade effect. If the item was hidden the script would fade them in, otherwise it would fade them out. You can see the 13 lines of code I wrote to do this for yourself.

Once I finished writing the filter code I noticed it didn’t work in Safari browsers even though it performed flawlessly in Firefox. After debugging and digging around on the net for possible solutions I stumbled upon the Safari Developer FAQ. Did you know you can unlock a debugging menu in Safari? The FAQ provides details on how to reveal it and then by holding Apple+Shift+J shows a JavaScript console alerting you to any errors. I used this to figure out that you can’t use ‘class’ as a variable name even though Firefox doesn’t seem to mind. I haven’t tested the site on any version of Microsoft’s Internet Explorer which is notorious for choking on standard code.

So if you ever wanted to see everything I do on the web, checkout kingkool68.com. And if you want to add me as a friend on any of these popular sites, click the small icons associated with each item to take you directly to my profile for that site. The next step would be to package my modifications up into a WordPress plugin so anyone could run a lifestream just like mine. In the meantime if you have any problems implementing a lifestream on your own, leave a question in the comments of this post and I’ll do the best I can to help out. Happy lifestreaming!

With Super Tuesday right around the corner, what is an undecided web geek to do? Why break a decision down into technical specs, like any other decision they have ever had to make.

Robert Accettura did a little survey of the presidential-hopefuls websites and noted what technologies were used on the front and backend. If you were to vote solely on who is using the best web technologies, your best bet would be Barack Obama. His site is run on an open source operating system, uses a CSS based design, as well as HTTP compression. Hillary Clinton and half of the Republican candidates are running Microsoft IIS; surprise, surprise! This survey also showed how web standards has come a long way as all of the candidates but one (Mike Gravel) neglected using a table-based layout.

Does a well-built website architecture make for a great leader? Probably not. But if you are a web geek you will probably get a kick out of these stats, just like me. Check out Roberts page for the complete breakdown.

Google has impressive, interactive charts incorporated into many of their products. The best place to see them in action is Google Finance where stock prices are graphed over time allowing the user to zoom in or out, stretch or expand the selected view, and other fancy interactions. The result is a rich experience for viewing and manipulating data.

Today Google unveiled the public application programming interface to interact with their chart engine. While not as rich as Google Finance charts, this public charting tool is extremely flexible in
creating line charts, scatter plots, bar graphs, Venn diagrams, and even pie charts. Charts are generated by constructing a URL with various parameters, or options, to customize a chart dynamically. Making a URL request returns a PNG image which can be saved to disk or embedded on any web page. Some examples of the charts are shown below.

Documentation for charts can be found at http://code.google.com/apis/chart/ which provides a smattering of examples.

I am very excited by this release as there are a ton of different applications these could be used in. Using some simple JavaScript, you could take these charts a step further and create animated charts using various URLS with one incrementing data parameter. Kind of like this (JavaScript code borrowed from Chip Chapin).

I would like to see a user-friendly interface built on top of the API so those who are less developer inclined can make charts and graphs easily. It wouldn’t be too hard to make a simple JavaScript program to construct the URLs. I will try to crank something out tomorrow at work, because this is simply too cool to pass up.

There is nothing web geeks love more than strutting their thorough knowledge of the subject. Knowing every single HTML 4 element by heart or to have each and every CSS property on the tip of your tongue doesn’t really help you in every day web development; understanding and realizing when to use each is more important.

But all of that goes out the window when it comes to quizzes like How Many HTML Elements Can You Name in 5 Minutes? or How Many CSS Properties Can You Name in 7 Minutes?

Out of the 91 W3C approved HTML 4 elements I identified 44, or 48%, in 5 minutes.

With CSS properties I did a little worse. getting 42 out of a possible 122 in 7 minutes, or 34%. I won’t disclose the simple ones I missed to give you a fair test when you take it. Most of them no one uses anyways!

How many did you get?

The popular online web magazine, A List Apart, conducted a survey of web professionals in April 2007 via their website. This week they finally released the results in a massive, though well designed, 80+ page PDF.

Being the first major survey of the web industry, I, and many others I’m sure, was anxious to see how I stacked up. The survey focused on the core areas of classification (gender, ethnicity, location etc.), education, work and job titles, and money. There are too many findings to even begin listing here but the PDF does a great job at explaining their conclusions with many, many graphs. Speaking of data, A List Apart is giving away all of the anonymized raw data for people to dig through and reach their own conclusions.

I can’t wait to see the results from the next survey to compare the changes in the industry from this year.

Earlier this morning a friend sent me a link he found on Reddit that pointed to a very large security hole on the Adobe.com website. It has since been patched but I thought I would take some time to explain a little bit about how it worked and how it could have been exploited further. The problem was due to a lack of sanitizing a URL path passed as a query string from the Shockwave download page to a Perl script for back end processing.

A hacker could use this flaw to enter a local server path in the query string and get the server to spit back information about itself like file directories, usernames and passwords, and even important encryption keys. The following URL used to return a long string of what appears to be garbled text.

../../../../../../../../../usr/local/apache/conf/ssl.key/www.adobe.com.key%00

What was happening was the path goes up to the root level of the server (the series of ../’s) and then into the local apache configuration files. Here the private encryption key used to encrypt SSL traffic would be exposed.

Whenever you conduct a secure transaction over the web, like giving a website your credit card information for a purchase, the traffic gets encrypted so it cannot be intercepted between the server and your computer. This keeps your confidential information safe and prevents a third party from sniffing your traffic to see what you are sending or receiving. You can tell you are using a secure connection by the yellow lock icon used in most browsers and the https:// instead of http:// in your address bar.

For this connection to work the server needs to have two keys; a public key and a private key. The public key is sent to your computer which it uses to encrypt a random number to send back to the server. A private key is kept on the server which is the only key that can decrypt the random numbers sent from your computer. From this transaction, both parties can generate key material used in encrypting and decrypting data. When an attacker looks at traffic over an SSL connection it looks like completely random and garbled text with no discernable pattern to it. The server and client can easily decrypt the garbled text putting it back to the original plain text.

Releasing the private encryption key of a web server into the wild compromises security allowing a 3rd party to easily decrypt SSL traffic or impersonate the server to perform a phishing attack. Adobe’s security hole wouldn’t directly break anything right away but a malicious user could use the flaw to probe for other weak spots and conduct an attack on those. Such attacks could expose personal data or intercepting sensitive traffic.

When coding a web application it is a good idea to build in a sanitize function that will strip out any non-alphanumeric characters like backslashes and periods. This can be done easily with a regular expression like replace(/\W/ig,”") that is common to most any programming language. This regular expression would change this ../../../../../../../../../usr/local/apache/conf/ssl.key/www.adobe.com.key%00 to this usrlocalapacheconfsslkeywwwadobecomkey00 . For more help with regular expressions check out this great tool I found.

For more information about SSL and Public Key Cryptogaphy check out Security Now Episode #34 Public Key Cryptography and Episode #85 Intro to Web Code Injection.

UPDATE: The Register has a complete write up about the security leak.

Most web designs use a classic header, columns, and footer layout, so there is no point in slaving over the details of the basic structure when you are starting a new design from scratch. YAML Builder makes the process quick and easy with a simple WYSIWYG online tool to build out your starting point.

You start out with a basic three column layout and from there you can customize it to fit your specific needs. Choose the doc type (I prefer HTML 4.0 Strict), optional base elements, and the number of columns to start out with. You can specify the widths of various elements choosing between a static width or liquid layout and the source order of the columns. Finally, the fun can begin by adding specific elements like headings, paragraphs, and lists to complete your basic web page. It should be noted that adding the specific content is not as straight forward as I would have expected. You need to click on the ‘Add +’ toggle in the upper left corner of the element before you can drop in child elements. Throughout the whole process you can click the ‘Toggle View’ button to see a real time preview of the final rendered code. When you are all done click the ‘Get Code’ button and the builder will display the HTML code, the base CSS code, and even an Internet Explorer bug fix CSS in a slick modal pop up so you can be off to a great cross-browser start.

YAML (Yet Another Multicolumn Layout) is an open source CSS framework meant to get you up and coding quickly while reducing the tedious detail work associated with CSS design. Download Squad recently reviewed the Yahoo CSS Grid Builder tool which does a similar thing but is much less polished. The YAML builder also offers a greater flexibility with your design as well as using less code in the end.

If CSS has left you a bit dizzy in the head or you simply want a quick place to start, the YAML builder is the best place to go to.

Security fanatic and host of the #1 Tech Podcast (Security Now) Steve Gibson, built his own e-commerce system in assembly language. This came from a need and lack of a 3rd party product that offered the features Steve needed. What really intrigued me while listening to Steve on Security Now #109 was how accessible he made his e-commerce system.

The web was designed with a server-client model in mind. This means a server has no means for keeping state, or what information you have previously sent to it. A server spits out pages and has no means to keep track of who sent what. The classic model to solving this problem involved setting client-side cookies using JavaScript to write and read information specific to that user that can be sent back to the server. Steve is a firm believer that scripting is inheritly evil and didn’t want to rely on his potential customers having JavaScript enabled in order to complete a transaction. Instead, Steve came up with a pretty clever method of keeping track of customers as they go through the checkout process.

Steve’s system collects the basic info on the first page of the process and then sends it to the server for validation like does the provided e-mail address look like an e-mail address and is the credit card number properly entered. Steve then takes the customer to a second page where he asks to confirm their e-mail as well as gathering additional data. The trick to keeping track of the previous data entered without using cookies is the use of a hidden field which Steve fills with the previous data encrypted using a secret key on the server and then digitally signed using a cryptographic hash. The result is all of the users data that is essentially useless outside of the server which can then be sent back to Steve, decrypted, and used to fulfill the order.

Now this might sound a little fishy if it weren’t coming from Steve Gibson himself. But this is the guy who wrote the Ultra High Security Password Generator, which is guaranteed to never give the same password twice and is truly random.

I have always had this idea of creating my own e-commerce site to sell my photography and hearing Steve talk about designing and building his own e-commerce solution was really inspiring. You can listen to the 95 minute podcast or read the complete transcript over at GRC.com/securitynow.