I recently wrote this story on a forum I frequent, but I thought I’d share it here as well and include some additional details.

A little more than a month ago at my work we were dealing with a website that was constantly being hacked. The website itself ran just fine; the hack was unnoticeable to majority of users. The attackers were injecting hidden code into the website that was only appearing to bots like the Google bot. When people googled the website the listing on Google would show ads for other things (usually undesirable) rather than the website’s description or any intended content. Needless to say the client did not want this.

The client’s website had been a victim of hacking several times in the past over the course of several months. They were running a very outdated version of Joomla! that we determined to be the most likely way the attackers were getting in. Due to the amount of customization to the website and the age of it, we recommended rebuilding the site in WordPress or dropping the CMS capability altogether and just create a static website. The client declined to do either to save money. They continued to get hacked though and we continued to clean it up as best we could.

Eventually someone noticed the undesirable text on the Google (and other search engines) listings and alerted the client, who subsequently alerted us and asked us to fix it. We eventually convinced them to rebuild the website in WordPress; however, the attacks continued. At this point the client was getting increasingly annoyed with us thinking we were incompetent at what we did. To be clear: we’re not a security company. We make websites. This doesn’t mean we don’t know stuff, but we’re not experts at cleaning infections. There are some basic things that pretty much any programmer or techie would know to do or look for but we don’t specialize in this kind of work. We already went through the normal motions of changing passwords, folder/file permissions, etc.

The client pretty much threatened to drop us. This was our oldest client, and was very important to us in both monetary terms but also on a relationship basis. We wanted to make them happy and fix their problem but as just mentioned, this isn’t what we do. In any case, we stopped everything and decided to take a “scorched Earth” approach.

We deleted everything from their FTP and we systematically went through our code (line by line in many cases) looking for anything that was suspicious and scrutinized it with extreme prejudice. Once we were satisfied that our code had no infections we were ready to reupload the files.

During this process I was also going through changing all the passwords to their various systems, including the control panel password. We have a password scheme but I made the call that it was not sufficient in this case and decided to use KeePass’ password generation tool to generate 40 character passwords comprised of random letters, numbers, and symbols; these passwords were stored securely so there was no worry of having to remember them or even typing them in.

I changed the control panel password and it came back with a success message telling me it was changed. Great. I recorded the new password and went to log back in. The log in failed. I tried again. And again. I tried the old password as well. No dice. I tried on a different browser, a different computer. I tried everything. I couldn’t get back in.

We were in a critical moment as well because the client declared 5pm as the deadline to have everything back up and working again or they were no longer going to do business with us. It was 4:45pm. Myself and my boss were very stressed and almost freaking out. We contacted the hosting company but they were unable to do much for us. We weren’t “on the account” and therefore there wasn’t anything they could do except send out the password to the email addresses that were already on the account. One of the emails was the person we were dealing with directly (who had set the deadline).

That was the last person we wanted to interact with at this point, but my boss got on the phone and talked to him. He twisted some facts to take some of the heat off us but managed to get the password email forwarded to us. I took a look at the password and it was exactly what I generated. I copied and pasted it into the log in form and voila – I was in. But I was very perplexed because it was the same password! In any case, due to the time crunch I finished my work and we got everything settled with literally minutes to spare.

I went back to take a look at the password because I knew something was wrong. After putting both the generated password and the password from the retrieval email into Notepad I noticed the one from the retrieval email was only 39 characters. It was shorter. I studied both of them carefully to see what was missing and the password from the retrieval email was missing a backslash!

The control panel form accepted the password, but it stripped the backslash from it without ever telling me! There were no indications of any restrictions on passwords, and without giving any kind of feedback to the me, I was completely oblivious to what they had done. I told my boss about what happened because I wanted to make it clear that this wasn’t my mistake, and that this is very frowned upon when it comes to security practices.

We were both quite surprised because we have used the host quite a bit in the past and are still using them for several current projects as well and we have never had a problem at all. They seemed like they really knew what they were doing. I guess not. I sent a strongly worded email to them letting them know that this was poor practice and the trouble it caused me. I never heard from them.

Stripping random characters isn’t the only offence. I’ve seen people apply trim(), addslashes(), strip_tags(), strtoupper(), etc. to passwords. These are all bad, and most of all, completely unnecessary.

Just an additional tidbit of information: WordPress doesn’t accept backslashes in their users’ passwords either, but at least they display a message to tell you!

Regardless though, there’s no reason to restrict a user’s password. Not like this, anyway. Passwords are just strings that should be getting fed directly into some kind of hashing algorithm or other security function. By the time they reach something like a SQL query, they should no longer resemble anything a human would be able to understand, or anything that would be able to mess with a query. Period. Don’t do this. This is bad. Even if you reject the password and tell the user.

This morning was the first time I had heard “Internet Explorer 11″ even mentioned. Microsoft released the first platform preview of Internet Explorer 10 a mere four weeks after the release of Internet Explorer 9, so it wouldn’t surprise me at all if IE11 was already starting to make an appearance in some form.

The new upgrade to Windows 8 – dubbed Windows Blue – was leaked on the Internet recently which revealed Internet Explorer 11. It was also discovered that its user agent will mimic that of Firefox. Interesting.

Mozilla/5.0 (IE 11.0; Windows NT 6.3; Trident/7.0; .NET4.0C; rv:11.0) like Gecko

Above is the reported user agent string. I have only seen it in a screen shot so I apologize for any typographical errors.

It’s theorized Microsoft is going down this route to avoid browser sniffing and having a different CSS style sheet served because it’s Internet Explorer and not one of the standard compliant browsers. See what I did there?

I think it’s a little too early to tell what the final user agent string will be for Internet Explorer, and for all we know this could be completely false or fake, so I’m going to withhold any judgement until there’s at least a platform preview available. The browser though appears to be in its infancy since the only information I can find about it on the Internet is related to the Windows Blue leak and its user agent string. Or maybe Microsoft is keeping a very tight lid on it. We shall see.

What’s really unfortunate is that Internet Explorer 8 is going to become the new Internet Explorer 6 in its own way. There’s enough of a leap between versions 8 and 9 that web designers and developers are going to have to use special techniques and “hacks” to get things to work on Internet Explorer 8. According to StatCounter, in February 2013 Internet Explorer 8 still enjoyed a 10.76% market share. That means for every ten users who visit your site, one of them will be using Internet Explorer 8. That number is too large to ignore.

It sucks knowing that virtually every other browser is enjoying decent to great standards compliance of HTML5 and CSS3.

At my work all too often we’ll want to include a cool feature or effect but we either have to say no, or figure out how to accomplish the same thing in JavaScript because Internet Explorer 8 doesn’t support it. The most common annoyance is the CSS3 pseudo-class :last-child. The other common offender is :nth-child, most commonly used for styling alternate rows in tables.

To be fair these two annoyances can be remedied rather quickly using jQuery or making some alterations to server-side code to print out a class for each alternate row, but that doesn’t dismiss the fact that there’s more coding and additional overhead to accommodate Internet Explorer 8.

There was another instance recently where a client wanted the first letter in each paragraph to be large, bold, and a different font, than the rest of the paragraph. This content also had to be easily editable for the client, so we couldn’t just slap a span tag around the first letter. Doing so would require additional training to teach the client how to do this, something that’s costly and prone to error since most clients don’t understand HTML – even after you show them. I suggested using the :first-letter pseudo-element. I had to preface it with its inability to render correctly in anything lower than Internet Explorer 9. We ended up using it but also explained to the client its limitations.

The worst of all is that thanks to consumers’ reluctance to give up Windows XP (seriously, folks, it’s nearly 12 years old. Upgrade already.), Internet Explorer 8 is here to stay until at least April 8, 2014, which is when Microsoft pulls the plug on its support for XP. Currently now the company pushes security patches through Windows Update for XP, but that will all end on the aforementioned date. I cannot wait.

Finally, after months of availability on Windows 8, Microsoft has released Internet Explorer 10 on Windows 7. It became globally available on February 26. Microsoft will be pushing the browser through its update system in the coming weeks and months. It’s only available for Windows 8 and 7; it is not available for Windows Vista. In the meantime you can head over to Microsoft’s website and download the browser manually.

So, is it worth the wait? Well, it certainly has improved over Internet Explorer 9 in terms of HTML5 and CSS3 compliance. Microsoft is boasting that the new browser supports more than 30 new standards over the previous iteration, including (my most-wanted) text-shadow (yes it has taken them this long to implement that). Internet Explorer 10 has closed the gap with Chrome and Firefox in terms of standards adoption, though if Microsoft maintains its schedule of large delays between releases, that gap is going to grow rather large rather quickly. In the meantime though let’s hope people start updating their browser.

I have updated the browser on my computer and indeed it is quite speedy, but to be honest that was never really the problem with Internet Explorer, especially not with Internet Explorer 9. I never really had any speed issues with the browser. My issues came with the lack of standards adoption and the poorly designed UI (and the lack of add-ons and extensions like the other leading browsers).

Just for fun though I decided to give the newest browsers a run through the SunSpider JavaScript benchmark tool. I know there are a number of JavaScript benchmark tools available now, but this seems to be one of the more popular ones. I’m not expecting much from this test, nor should it be an indicator which browser you use; all the major browsers have made huge strides in their JavaScript performance and it’s pretty much a non-issue now. But, nonetheless, I like to test them out anyway just to see. The smaller the number the better the result.

1. Internet Explorer 10 98.5ms
2. Chrome 25.0.1364.160 142.5ms
3. Firefox 19.0.2 172.3ms
4. Safari 5.1.7 182.0ms
5. Opera 12.14 183.3ms

The results were more or less what I expected. Microsoft had a very fast JavaScript engine in Internet Explorer 9 that also led the pack. As the results show, the browsers are all pretty close with each other, more or less. Remember these results are in milliseconds.

So where does this leave us? Well, hopefully people will upgrade to the newest version if they’re still using Internet Explorer. Hopefully by year’s end most Windows users will be using Internet Explorer 10. Of course those who refuse to give up XP can only upgrade to Internet Explorer 8, but that issue is for another post.

It’s been about a full year since I started using the Dvorak keyboard and it’s been quite the journey. This will likely be my last post about my Dvorak progress. I think a year is enough to gauge how well I have come along. When I embarked on this journey I went into it with the mindset, “Can I do this?”

Did I? I think so. I struggled in the beginning like many people do, but I was able to pick up the new layout in due time. I should have done a lot more lessons and learned the keyboard instead of just diving in and forcing myself to type. I think by doing that I have picked up a couple bad habits but nothing that prevents me from typing at a reasonable speed. For example I find myself hitting the L key with my ring finger instead of my pinky.

One of the biggest questions about learning Dvorak is what are the benefits? Namely, did your typing speed/accuracy improve? Unfortunately I didn’t quite know what my speed was before on the QWERTY layout, though I know I have done tests where I managed to get in the mid-80wpm. But I don’t know my actual typing speed with it. I also feel like typing tests are not an accurate portrayal of one’s tying ability; reading and typing can be challenging for many whereas just typing what you’re thinking can yield quite different results.

But anyway, I jumped on Typeracer a few times throughout the year to see how I was doing as a way of gauging my progress. I remember when I first started with it I was hovering around the 30wpm mark. A little while later I was in the mid-50s. Recently in the months of December to January I was hitting the mid-70s, so it was evident that my speed and accuracy was improving. At least with Typeracer.

Do I feel better though? Was it worth it? I think so. It was a fun and challenging experience and I am now fully engulfed in the layout, completely abandoning the QWERTY layout except on my phone (where I can still type on it quite well). If I try to use the QWERTY layout on another computer I am met with some difficulty though I can usually do it no problem as long as I am able to look at the keyboard. I am quite fast on the phone still, though.

All in all I am quite happy with it, plus it’s a nice conversation starter, and even a little amusing when I visit someone’s house and have to use their computer and they see me struggling to type. I often get asked, “I thought you were a computer nerd, shouldn’t you be able to type quickly?” I then show them the keyboard layout I use and I’m met with some astonished reactions.

I have seen some other keyboard layouts that have caught my eye, such as Colemak, but for now I am going to stick with Dvorak. It was a great little journey and I am glad I was able to accomplish what I set out to do. That’s always a good feeling.