Blog on chrispederick.com

Blog on chrispederick.com Full Posts

I installed the iOS 13 beta on my iPad to test it out, but was planning on waiting to update my iPhone. However, I edited a shortcut on my iPad and now it won’t work on my phone unless I upgrade. I might have to pull the trigger on updating there as well now 😬

What I Read in February 2019 📚

A little late on posting this as I was on vacation, but I read four books in February:

You can also follow what I’m reading on Goodreads.

What I Read in January 2019 📚

Earlier this month I decided to listen to fewer podcasts and to use that time for audiobooks instead. One month in and I couldn’t be happier with my decision. I’m not missing the repetitive tech podcasts at all. I’m “reading” more books again and it’s giving me a genuine sense of accomplishment.

This month I read three books:

You can also follow what I’m reading on Goodreads.

Parcha

Parcha and I

Yesterday Abby and I had to say goodbye to our 16 year old cat, Parcha. We are both pretty devastated and will have a cat shaped hole in our lives for some time. However, making this sad time a little easier has been seeing the comments from friends and family, and just how many lives were touched by one sweet, little cat.

Here are just a small selection of those comments:

Parcha was a special kitty.

Oh, Parcha—you were the baddest thug cat ever.

I haven’t seen her in forever and am missing knowing she’s still here.

That was one tough kitty and she deserved every ounce of love she got.

Oh Parcha. You were so very loved, sweet kitty.

Parcha was a non-cat person’s cat.

Best cat. (Although I’m not convinced she was actually a cat. Hardened criminal? More likely. But the best, for sure.)

Parcha was the first cat I’ve ever met that enjoyed eating tortilla chips – she had such good taste in snacks.

I feel so lucky to have been able to spend some kitty time with Miss Parcha. She was easily one of the most affectionate cats I have ever met.

I’m so sorry, but glad I knew that sassy lady with the smokey lips. She helped me transition into the crazy cat lady that I am today.

I was always in awe of how sweet she was, ever since she was a little kitty. I will miss seeing her in my visits home.

One of my favorite cats of alllll time.

My abiding memory of Parcha will be when I visited 10 years ago and she ‘greeped’ me and I freaked! She was such a canine feline.

I’ll never forget her licking the Thanksgiving turkey.

Parcha was such a fun kitty. I was always impressed with how deftly and quickly she wrapped Chris around her little paw.

I believe she’s in cat heaven in some bar, ordering a double shot, strategizing how to lift a pork chop off some angel’s plate. He’s a fucking angel, he doesn’t need that damn pork chop.

My favorite memory of Parchy was the time I was taking a bite of a cheeseburger and she came over and took a bite out of it at the same time. Also – the time she hid behind my garbage can and would reach her paw over and take trash out thinking I wouldn’t see her. She was the best and you gave her a wonderful life.

The best cat I ever knew.

Web Developer for Chrome Compromised

On Wednesday, August 2nd at 6:30 am PDT I discovered that Web Developer for Chrome had been compromised and a new version 0.4.9 had been uploaded to the Chrome store that contained malicious code. I immediately disabled the extension in the Chrome store and regained control of the developer account associated with the extension. At 8:40 am PDT I uploaded a new version 0.5 that removed the malicious code.

Please make sure that you update to version 0.5 of the extension as soon as possible. I am still looking into exactly what the malicious code was doing, but it is strongly advised that if you had Web Developer for Chrome installed that you change your password to any site that you logged into on Wednesday, August 2nd as a precaution, particularly Cloudflare which looks as though it may have been explicitly targeted. It has also been suggested that Cloudflare users revoke their API key if they visited the Cloudflare dashboard yesterday as this may have been compromised as well.

Note: The Firefox and Opera versions of the extension were entirely unaffected.

I sincerely apologize for this incident and the pain and frustration it has caused.

Timeline Of What Happened

Tuesday, August 1st

9:25 am PDT: I receive an email saying that Web Developer does not comply with Chrome store policies and needs to be updated. I could make excuses about how I am extremely busy at work or I seem to constantly be logged out of my Google account so having to log in is not unusual, but the reality is that I am a bloody idiot and blindly logged into my developer account after clicking on a link in the email. To add to my stupidity, the developer account did not have two-factor authentication turned on. At the time, I do not realize what I have just done and simply save the email to look into in more detail when I have more time.

Wednesday, August 2nd

6:30 am PDT: I wake up to a number of tweets and emails from users reporting unusual logging and adware coming from Web Developer. I realize that this is tied to the email from the day before and immediately change my developer account password. I log in to the developer dashboard and see that a version 0.4.9 has been uploaded by someone other than myself and immediately unpublish the extension from the Chrome store.

8:40 am PDT: I create a new version 0.5 from a code branch that I had been actively working on to fix bugs in the extension and upload that to the Chrome store.

9:15 am PDT: The new version 0.5 goes live in the Chrome store.

Fallout

With the compromised version of the extension now replaced in the store, I have been working on replying to everyone who tweeted or emailed me advising them to upgrade to version 0.5 ASAP. I have also informed Google of what happened, although there is not an obvious right way to report this and thus far I have not heard from them.

I changed the password for the developer account immediately upon discovering the issue, but I have also now enabled two-factor authentication on that account so that an attack of this nature is far harder in the future.

I am also continuing to look into the impact of the malicious code as are others with far more security knowledge than myself, which is incredibly appreciated.

Someone has created a Gist that shows the malicious code that was added to the extension and is decoding and discussing exactly what the code is trying to do.

I also received an email from a security officer of an ISP in the Netherlands who says that the malicious code looks to use a date-based domain to request URLs and they have graciously registered the domains for the next week of dates in an attempt to block the requests from happening.

My extension does not seem to be the only one that was targeted in this way and the developers of the Copyfish extension have written their own blog post detailing what happened to them which appears to be very similar to my experience.

I will continue to update this post with more information as I have it and once again I sincerely apologize for the disruption and distress that this has caused.

Update: Proofpoint has posted an incredibly detailed breakdown of the compromise.

Using Blur To Create A Wallpaper For iOS 7

iOS 7 looks completely different from previous versions of iOS so after installing it on my iPhone I decided to change my wallpaper to better fit with its design.

The iOS 7 lockscreen is now much cleaner and lends itself to highlighting a photo, but I found using the same photo as my homescreen wallpaper too distracting. iOS 7 “uses translucency to provide a sense of context and place” so I wondered if using a blurred version of the same photo would look good on the homescreen.

Blur is a $0.99 universal iOS app that allows you to blur any picture and set it as your wallpaper. The interface is simple, but beautifully designed and allows you to quickly import a picture, adjust the blur effect and export the blurred picture back to your camera roll.

Blur screenshot

Using this blurred version of my lockscreen photo on my homescreen leaves it clean, but keeps a visual connection back to the lockscreen and I plan on using this technique whenever I change the photo on the lockscreen.

Phone screenshot

Web Developer 0.4 for Chrome

Web Developer 0.4 for Chrome is now available. The extension can be downloaded on the Google Chrome extension gallery.

Web Developer for Chrome

The release notes contain the full list of changes in this version, but some highlights are:

  • A new disable menu
  • Syntax highlighting and line numbers when viewing code
  • A new feature to view the responsive layouts of a page
  • Unlimited resize dimensions and tools configurable in the options

Web Developer options

Under the hood this is also essentially a complete rewrite of the extension that merges the code base with the Firefox version. This should allow improved features, fewer bugs and more frequent releases going forward.

Permissions

The Web Developer extension has always needed access to your browsing history as that is how it is able to add custom scripts to any web site for its features to work. However, some of the new features now require extra permissions such as access to cookies. As explained in the FAQ none of this data is accessed beyond the needs of the features of the extension and no personal data is sent from the extension to a third-party apart from for the third-party features such as validators.

Web Developer for Firefox 1.2 Beta 1

Web Developer for Firefox 1.2 Beta 1—a preview release of the next version of the Web Developer extension for Firefox—is now publicly available. This release is for testing purposes only—for a fully supported version of the extension or localized builds please see the latest official release.

Web Developer OS X theme

A few notable changes in this release are:

  • A new theme on OS X
  • A number of new features including ‘Reload Linked Style Sheets’ and ‘View Responsive Layouts’
  • Keyboard shortcuts can now be assigned to any feature
  • Syntax highlighting and line numbers when viewing and editing code

And of course there are many fixed issues. For the full list of changes in this version please read the release notes.

Feedback

As a beta release this build is not guaranteed to be stable. The idea behind this beta release is to give people the opportunity to provide feedback about this next version as well as report any bugs. Please report any feedback or issues in the beta forum or via the contact form.

Note that the forums on chrispederick.com have been upgraded as my self-hosted version of FluxBB was having more and more problems recently. Therefore I have upgraded to a hosted Vanilla Forums setup.

Unfortunately as part of this upgrade the existing forums data including user accounts and posts could not be easily migrated so you will need to re-register if you had registered previously.

Let me know if you see any problems with the new forums by posting in the forums or via the contact form.

Improved Web Developer ‘View JavaScript’ Output

The updated ‘View JavaScript’ output in the next version of the Web Developer extension including syntax highlighting and line numbers.

Web Developer View JavaScript output

Rdio Add Album To Playlist Bookmarklet

A month ago I posted that I wanted to try Rdio, but could not because even their native OS X application requires Flash which I don’t have installed on my laptop. However—although I have not seen a formal announcement—it now appears that they are bundling a version of Flash in with the application.

So I re-activated my Rdio subscription—I had tried the service out a year or so ago—and used the application to match my iTunes music and add it to my Rdio collection.

Setting Up A Scores Playlist

At work I like to listen to movie scores as they typically contain no lyrics which I find distracting when I am writing code. So I set up a ‘Scores’ playlist in Rdio and went to start adding movie score albums to it.

The problem? Rdio only lets you add songs to playlists one at a time—you cannot add an entire album. Adding an album to a playlist one song at a time becomes very tedious very quickly and despite numerous requests to allow adding an album to a playlist, Rdio has yet to add this feature.

Therefore I created a bookmarklet that when clicked on an album page on Rdio adds the entire album—all the tracks that are available for streaming at least—to the chosen playlist.

Using The Bookmarklet

  1. Drag the link above to the bookmarks bar in your browser.
  2. Go to an album page on Rdio in your browser. For example: The Dark Knight.
  3. Click the ‘Add Album To Playlist’ bookmarklet in your bookmarks bar.
  4. For the first track you will be asked which playlist to add the track to and all subsequent tracks will then be added to that same playlist.
  5. Wait for the bookmarklet to add the remaining tracks to the playlist—you will see some flickering of Rdio dialogs appearing and being automatically clicked—and once it has finished a JavaScript dialog will appear telling you how many tracks were added to the playlist.

Rdio bookmarklet dialog

Fragile

As you can tell by the flickering of Rdio dialogs when you use the bookmarklet, this works by basically automating the task of adding each individual track to the playlist. This means that any HTML or CSS changes to the Rdio site will likely break the bookmarklet.

I will be trying to keep the bookmarklet up to date and working if this happens, but I cannot guarantee the timeliness of my support. I have only really tested the bookmarklet in Chrome so let me know if you encounter any issues in other browsers. Also, note that I am not responsible for any problems caused by using this bookmarklet. Hopefully Rdio will add this feature soon and we will not need this hack for much longer.

For those that are interested, here is my scores playlist.

Update: Rdio added support for adding entire albums to playlists in the new Rdio so this bookmarklet is no longer required or supported.

Why Web Developer May Finally Be Coming To Safari

When Safari 5 was released a year ago Apple followed the lead of Firefox and Chrome and added support for extensions. A number of people contacted me at the time asking if I would port Web Developer to Safari and I said I would look into the possibility.

When I looked at the Safari extension API it was clearly based on the Chrome extension API and I was initially hopeful that creating a Safari version of Web Developer would not only be possible, but relatively straightforward.

Why Web Developer Does Not Work With Safari (Yet)

My first thought was to add a toolbar button that could open an HTML version of the Web Developer toolbar just like I do in Chrome:

Web Developer for Google Chrome

However, while Safari supports adding custom toolbar buttons they can only execute JavaScript and cannot open HTML popups like Chrome allows. This did not appear to be an issue since Safari extensions are allowed to create entire toolbars—something that Chrome extensions cannot do—and this would be the ideal implementation for Web Developer.

As I started to work on creating Web Developer as a Safari toolbar though, a major shortcoming became clear. Safari toolbars can only contain HTML elements and do not allow those elements to expand outside of the toolbar—expanding menus in the toolbar are not possible.

The only way to work around this limitation is to use HTML select elements—an option that extensions like Safari Developer are using:

Safari Developer toolbar

I personally see this as a clunky solution with major limitations and poor usability. Therefore I decided to wait and hope that the Safari extension API matured to allow a better implementation of Web Developer.

Why Web Developer May Work With Safari In Lion

Cut to this week and Apple released a bunch of new information about the next release of OS X called Lion. Tucked at the end of their section detailing the new features in Safari in Lion is the following paragraph:

Safari extensions

If I am understanding this correctly it sounds like the Safari extension API will be updated to support HTML popups being opened by custom toolbar buttons just like in Chrome. If this is true then I will once again look into porting Web Developer to Safari.

When?

OS X Lion does not have a firm release date yet, but it is due to be released some time in July and I am currently working on the next release of Web Developer for Firefox. Any development on a Safari version would have to wait until the Firefox update is complete, but I cannot give any estimate as to when this might happen. Just know that I will be investigating the possibility of porting Web Developer to Safari as soon as I have the time once Lion is released.

Firefox 4

At the end of January I released new versions of both the Web Developer and User Agent Switcher extensions. These patch releases primarily added support for the then upcoming release of Firefox 4 which eventually came out two months later. Since then I have been extremely busy at work and have not had much time to work on the extensions, but I wanted to give an update about some issues that were found with Firefox 4.

Web Developer

The main issue with the Web Developer extension in Firefox 4 is that the toolbar menus are not checked when they are activated on Mac OS X. This is actually an issue with Firefox 4 and I have filed a bug with Mozilla that they have acknowledged, but are still working on. Hopefully this will be fixed soon as it’s a major issue that affects all toolbar menus in the browser.

There are also a few features in the Web Developer extension itself that have issues in Firefox 4:

  • The toolbar display options always reset.
  • The ‘Mark All Links Unvisited/Visited’ features no longer work.
  • Wildcard cookies can no longer be added.

I’ll be looking to fix all of these issues in the next release of the Web Developer extension.

User Agent Switcher

The User Agent Switcher extension also has a couple of issues in Firefox 4. First of all, the extension is not easy to access in Firefox 4 on Windows. There are currently a couple of ways around this as explained in the screencast below and I’ll be looking to fix this in the next release.

The second issue is that Mozilla removed the ability to override some of the user agent properties in Firefox 4 that you could override in previous versions. Specifically the app code name and vendor and vendor sub properties can no longer be overridden. There is nothing I can do to workaround this, but I will be updating the User Agent Switcher extension to indicate that those properties have no effect in Firefox 4.

Timeline

As always I cannot give estimates for when the extensions will be updated as it depends on how busy I am at work, but I am actively working on them whenever I have free time and will release them as soon as I can.

Web Developer 1.1.9 and User Agent Switcher 0.7.3

Patch releases of both the Web Developer and User Agent Switcher extensions have been released for Firefox. These releases primarily add support for Firefox 4 to both extensions as well as fixing a few issues in Web Developer including ‘View Style Information’ being vulnerable to a cross site scripting attack. The full list of changes to the Web Developer extension can be found in the release notes.

Web Developer 1.2

I had originally hoped to release version 1.2 of the Web Developer extension in time for Firefox 4. Version 1.2 will merge the Firefox and Chrome codebases of the extension, as well as adding new features and fixing a number of issues. However, this is still in development which is why I have released this minor update to make sure that Web Developer is at least compatible with Firefox 4.

I’m continuing to work on version 1.2 so look for progress updates on Twitter and Dribbble.

Web Developer 0.1 for Google Chrome

I am pleased to announce the release of Web Developer 0.1 for Google Chrome. The extension is available for download on the Google Chrome extension gallery.

Web Developer for Google Chrome

As the version number suggests this is an early stage build of the extension for Chrome that I wanted to release quickly to elicit feedback.

As such, there are a few missing features from the Web Developer extension for Firefox, particularly those that require custom interface elements like ‘Edit CSS’ as these need to be rewritten to integrate fully into the browser. Some of the more complicated features as well as configuration options like keyboard shortcuts are also not included in this initial release, but these will be coming soon in future updates.

One feature that unfortunately is missing is ‘Disable JavaScript’ as this is not possible to implement with the current Google Chrome APIs. Please star this bug and hopefully the APIs will be updated.

I haven’t had a chance to upload the source for the extension yet, but I should have something up (most likely on GitHub) soon and will post a link to the repository when I do. Please post any issues or feedback in the Chrome section of the forums.

Web Developer 1.1.8 and User Agent Switcher 0.7.2

Updated patch releases for both the Web Developer and User Agent Switcher extensions have been released.

This version of the Web Developer extension fixes an issue where the ‘View Generated Source’ feature did not work, as well as combining the Firefox and Seamonkey versions of the extension into one build. The User Agent Switcher extension release should hopefully fix the problem with importing user agents in nested folders once and for all.

Apologies for the frequent updates, but hopefully these will be the final patch releases before the next major releases of the extensions.