The Old New Thing

Beware the hash reset attack

There are a variety of message digest algorithms out there, MD5 being a particularly popular one. These generate a "message digest" (essentially, a hash) so you can detect whether somebody has tampered with a file, the theory being that it's hard to tamper with a file without changing its hash. But make sure you record the file size as well...

When do you put … after a button or menu?

When do you put "..." after a button or menu? For example, some menus say "Save as..." and some buttons say "Customize...". What is the rule for dots? Many people believe that the rule for dots is "If it's going to display a dialog, then you need dots." This is a misapprehension. The rules are spelled out in the Windows User ...

When do you disable an option and when do you remove it?

When you're displaying a menu item or a dialog option, and the option is not available, you can either disable it or you can remove it. What is the rule for deciding which one to do? Experiments have shown that if something is shown but disabled, users expect that they will be able to get it enabled if they tinker around enough. So ...

Thinking through a feature

The commentary after my entry on taskbar grouping drifted into people asking for still more features in taskbar grouping. Writing the code is the easy part. Designing a feature is hard. You have several audiences to consider. It's not just about the alpha geeks; you have to worry about the grandmothers, the office workers, the ...

Is your web site an open relay?

As if there isn't enough to worry about. Everyone knows about the dangers of open SMTP relays. But how many people realize the dangers of an open HTTP relay? Many web sites do arbitrary redirection. If I were a spammer, I could create a link to myself that redirects through some well-known web sites, thereby granting my spam link ...

Scripting is a two-edged sword

A three line VB script will disable your firewall. The advantage of scripting is that you can control so many things with just a few lines of code. The disadvantage of scripting is that bad people can control so many things with just a few lines of code. I wonder how long it will be before there's a virus that disables the firewall...

Is open source the new monoculture?

Okay I know I'm going to get into a lot of trouble for even bringing up this topic... This past weekend, Ulf Harnhammar discovered two buffer overflow and two directory traversal vulnerabilities in LHA, a library of data compression functions. Since the code for this is public, it has been copied all over the place. At least one ...

Where does the taskbar get grouped button icons from?

Follow-up question to Where does the taskbar get grouped button titles from?: Where does the taskbar get grouped button icons from? The icon for grouped taskbar buttons comes from the icon for the underlying EXE, the same icon that appears when you open the folder that the EXE resides in and scroll down to the EXE. For example, if ...