What's included?

New features

* Allows windows to be resized from any side
* Includes an additional font smoothing option ("standard")
* Adds International text input methods
* Adds advanced text options (contextual forms, international scripts)
* Supports NTLM
* Includes auto-detection of PAC files

PAC Files are the devil's candy.

* Supports listing FTP directories

It's about time guys! This was a pathetic and glaring hole inthe feature set.

* Links to proxy settings from Safari (Safari respects the proxy settings in the Windows Internet control panel)
* Adds cookie management
* Adds LiveConnect support

Thank You! Thank You! Thank You!

* Includes tooltips
* Adds spell checking and grammar checking
* Allows printing of page numbers, titles, margins
* Improves bookmark collection interface
* Maintains original order of imported bookmarks
* Adds an interface for editing AutoFill information
* History searches now search the full text of visited websites
* Adds a new preference to manually mark RSS articles as read
* Includes support for tilt wheels

Safari 3 Beta Update 3.0.4

At the end of January 2007, Adobe submitted its Portable Document Format (PDF) to the ISO. Now, as the year winds to a close, Adobe has announced that PDF 1.7 has been approved by the ISO and will become the ISO 32000 standard (DIS).

Although previous subsets of PDF (specifically PDF/Archive and PDF/Exchange) have been considered by the ISO, the approval of the entire document format as a new standard will impact its development in the future. From this point forward, the ISO, rather than Adobe, is in charge of the PDF specification and any changes that are incorporated into it. According to King, none of the current licensing terms for the PDF standard will change, as it's already licensed for free and readily available to anyone wishing to develop software capable of reading, writing, or processing PDF, but he posits that Adobe's Acrobat suite might see an increased level of competition from other companies as a result of the ISO certification.

I wasn't even aware of that this was in the pipeline. Now only if they'll turn over SWFs!

if(ISO.contains(PDF)) { dance();}

Ory over at IBM/Watchfire does a good job attempting to sort the wheat from the chaff in regards to Larry Suto's comparison report of web scanners. Couple it with HP/SPI's Jeff Forristal's report and you have a good idea about the difficulties of having a true apples to apples comparison of any type of security product, not just web scanners.

If only WASC or OWASP or somebody has some guidelines for evaluating web scanner results :-).

The Web Application Security Evaluation Criteria is a set of guidelines to evaluate web application security scanners on their identification of web application vulnerabilities and its completeness. It will cover things like crawling, parsing, session handling, types of vulnerabilities and information about those vulnerabilities.

Hopefully this will raise awareness about how confusing accurate product comparisons in the security space must be to product reviewers, prospective customers, academics, and even lay people and foster more participation in this WASC project.

But back to Ory:

In addition, I am concerned by the web application security industry - an industry filled with gifted security experts and practitioners, who embraced Suto's whitepaper warmly, without questioning its results or the methodology by which it was conducted for a single moment.

Suto, having good intentions published what he thought was in the best interest of the industry, and my biggest complaint to him was that his experiment methodology was never fully disclosed to the public, therefore could never be confirmed nor rebutted.

On the other hand, one would expect security experts to use a little more judgment when reading technical whitepapers, and be skeptical of results from experiments that are not well documented. Putting numbers into a table doesn't make them meaningful.

Ory, bravo for calling us all out for accepting things without fact checking. It seems even web professionals suffer from improper input validation for time to time! :-)

Ory and the kicking of ass and taking of names

So, yes, the version after IE7 is IE8. We looked at a lot of options for the product name. Among the names we considered and ruled out:

Of course, some people care about other aspects of IE8 much more than they care about the name. As I’ve walked different people through the plan, I’ve gotten “Does it have feature X?” “When is the beta?” “When does it release” and even the more thoughtful “What are you trying to accomplish with this release?”

You will hear a lot more from us soon on this blog and in other places. In the meantime, please don’t mistake silence for inaction.

Dean Hachamovitch
General Manager

Dear Dean Hachamovitch, General Manager Internet Explorer Team.

Fuck you

Fuck you for thinking a browser with some tabs and RSS support somehow warrants praise
Fuck you for Notepad as "View Source"
Fuck you for the CSS hacks I shouldn't have to do
Fuck you for your phony adoption rate and security comparison reports
Fuck you for the hell that is IE/JavaScript debugging

Fuck you for winning the web browser wars and then stagnating innovation
Fuck you for 6 years of inaction and silence
Fuck you for telling the world how the web is going to be
Fuck you for your utter contempt of web developers and web standards

Fuck you Dean Hachamovitch and fuck the team you lead. You are hurting us far more than you are helping us

This shit has got to end

Sincerely,
Billy Hoffman

Update

Fuck you Dean Hachamovitch

A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports.

The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser.

[lolcat]I has a session hijacking vuln. I is in your Oracle, pwning all your numberz[/lolcat]

Massive breach in Canadian Passport website

You gauge a task's importance based on whether your boss calls you from another hemisphere about it or not. So far I have several important tasks!

Today in a meeting...

JavaSteve: Every variable is global in JavaScript
Billy: Thats not true, you can locally scope variables to functions using var
JavaSteve: No you can't. That's not what I've seen
Billy: JavaSteve, trust me, you can
JavaSteve: Sorry Billy, I'm positive you are wrong
Billy: ... ok, I didn't want to play this card, but everyone who has written a book on JavaScript, please raise their hand [Raises hand], ok then.
JavaSteve: oh now it's on!
Billy Go check Chapter 2 in the Rhino book and get back with me JavaSteve.

[5 minutes later]

JavaSteve: HA! You were wrong! ... ... It was Chapter 3, not Chapter 2!

People called Steve JavaSteve to differentiate him from Steve Millar and because JavaSteve works on our JavaScript parsers and interpreters. I asked JavaSteve once why no one called him JavaScriptSteve. He looked at me like I was an idiot.

It only took about 8 hours before I started getting SMS messages telling me that joining the Borg was inevitable and that resistance was futile.

Divide, KP, Thank you for being my messengers!

Billy: [reading an RSA 08 flyer] "What would Alan Turing Do?"
Mark: What *wouldn't* Alan Turing do?
Billy: Yeah, well, thats kind of why he's dead.

How fucking pompous is it for RSA to postulate what Alan Turing would or wouldn't do?

From:
Date: Nov 26, 2007 11:52 AM
Subject: [Full-disclosure] To Hell With Georgia
To: full-disclosure@lists.grok.org.uk

UGA may have beaten Georgia Tech this year in football but just
listen to what their website has to say:

http://www.uga.edu/cgi-
bin/ldap?name=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%54%6F+%4
8%65%6C%6C+%57%69%74%68+%47%65%6F%72%67%69%61%27%29%3C%2F%73%63%72%6
9%70%74%3E&submit=Go&ouo=%3Duga&searchtype=cn

I've URI-encoded the injected script as to not spoil the surprise
(benign XSS).

Go Jackets!!!

-George P Burdell

To the Georgia Tech Alumni on Memestreams. What's the good word? To Hell With Georgia!

PS: It looks like George never got the message that Hushmail isn't so secret...

What's the good word?