Buffer Overflow In All Shockwave Players 201
drinkypoo writes: "As per this article at lwn.net there is a buffer overflow which affects "All SWF plugins on all platforms" because bounds checking is not being done on the SWF data. You can use this problem to "execute arbitrary code stored in the SWF
file"."
Re:Plugins are stupid anyway (Score:1)
plugins... (Score:1)
1. They do not give me extra information. Moving crap and noise on my screen doesn't relay anythng meaningful to mean. A picture is worth a thousand words, but plain HTML does that fine.
2. As this article points out, they add greater security concerns, due to added complexity.
3. Sites that use them load slowly. What happened to plain, pure, elegant HTML?
As a rule I avoid sites that use these like the plague. For the web people out there - build your site on lots of GOOD information, a few meaningful pictures, and make it EASY TO NAVIGATE, complete with a search.
Re:hmmmm... (Score:1)
[Scenario 2]
The geek fires up Netscape, and watches as Netscape dumps core.
You won't need Flash to crash Netscape...
Most annoying (Score:1)
Re:it's the content that matters, and ONLY content (Score:1)
~shine
Re:Develop standard HTML,test it in standard brows (Score:1)
For all the Flash / Image users out there who don't have text on their pages, remember this: all the search engines only index text. If you insist on Flash, you just dropped all the potential customers who used a search engine.
Not new (Score:1)
Buffer overflows have not been exploited for the moment, needless to say what OS will be the big victim, the Linux users may worry though.
Developing Open source player is again the answer, check out this project [swift-tools.com] and contribute! Even for Windows.
Anyway, Flash rocks.
Please read the User Guide to learn how to navigat (Score:1)
"Please read the User Guide to learn how to navigate through the site"
No thanks. You have got to be kidding me. This definately does not "rock".
Re:Develop standard HTML,test it in standard brows (Score:1)
To some people, the look you can achieve is more important than avoiding layout tables and spacer gifs.
There are alternatives, of course, like absolute positioning, netscape's <spacer> tag, etc. But often these solutions are just as hokey and yet less supported by browsers.
-bp
Re:it's the content that matters, and ONLY content (Score:1)
Re:CSS crashes Netscape or is illegal in USA (Score:1)
It works most of the time and that's good enough. If users don't like it when they see the problem, they can get a better browser. I'm sorry. Netscape 4.x is pathetic and Mozilla/NS 6 is still striving to be as good as IE 4. As a web designer, I feel like my hands are tied. Do I live in 1995, or do Netscape users just have to put up with the quirks associated with CSS? I'm tired of living in the past... they can deal with it.
The fact is NS with CSS works most of the time and that is good enough. If someone disagrees then they can go download and use IE or shut up. If IE isn't available on your platform, then good luck with Mozilla or any of the alternative browsers available. NS just isn't the best anymore and apparently never will be. Maybe Netscape 6 will kick ass if Mozilla has *another* three years to work on it, but IE will probably be to 7 by that time(without skipping a version number!).
Netscape is like a bad ex-girldfriend. Used to love her. Now hate her guts. Can't get a restraining order against her.
...winding down. Netscape gets my blood pressure up. One time, on a business trip, I found myself in a similar rant with some co-workers at a restaurant and then thought, "wait a minute... I'm in Mountain View". Actually Palo Alto, but close enough.
Re:Dunno 'bout ya'll... buuuut (Score:2)
Then clearly . . . (Score:2)
. . . lwn.net was running shockwave on a server and got fouled up from a time-travel game . . .
hawk
News alert: uninitialized variable in main.c!!!!!! (Score:2)
Re:Is it possible... (Score:2)
You mean like sendmail and BIND? Try searching the CERT advisories and you'll see what I mean.
I dunno if I should be worried... (Score:2)
I may just be delighted to see "Movie not loaded..." when I right-click on a blank space in a webpage after all!
--
Plugins are stupid anyway (Score:2)
Re:Saying Flash is bad is an understatement. (Score:2)
As I said before, Flash designers care about your
remote X sessions about as much as you care about their silly animations. I'd estimate people browsing across remote
X connections make up less than 1% of page views. It's an insignificant amount.
Remember, most 'normal' people aren't impressed by text-only pages written in HTML2, even though it's an effective way of disseminating info.
Then you factor in the fact Flash renders the animations in realtime, add in that constant animation with transitions/fades and there goes all your CPU power.
This is both a blessing and a curse. By rendering on the client side, you don't need to transfer a zillion frames of a raster animation. BUT, it does suck up processor cycles.
That said, I find I have MANY more processor cycles than kb/s of bandwidth, even on my slowest boxen.
There doesn't appear to be any concept of idle time - it's development is similar to Director which I've worked on for 3 years, and in order to pull off a "Press here to continue" with an animation, you have to loop it. Ick.
(Forgive me if I'm thinking of something else.)
Ummm...Of course you have to loop it.
You can't make a repeating function (like an animation clip) without looping. Some programs
can hide it, but in the end, the processor is still executing a loop.
But then again what do you expect from a product from a company originally developing on the Mac?
Ahhh, the joys of teenage Linux bigotry.
I'm not saying Flash is perfect. It's far from it,
but it's not technology from the smoking pits of hell, either.
--K
Re:No one cares (Score:2)
Absolutely true. I've had cow-orkers ask me (in an almost disbelieving tone) why I
was writing HTML by hand when "Frontpage is already installed"...
I've also heard people talk about "learning HTML" when what they mean is "learning Frontpage".
I kinda like Flash tho, it's nice for making slick, compact, artsy-fartsy things that won't get broken
by crappy HTML renderers. It either works, or it doesn't, and chances are it will work,
because 95% of the viewing population is Win/Mac.
And for the other 5%, it's not hard to include a less 'cool', but equally informative text version.
It all depends on who's doing the work and weather they give a shit.
--K
Plain wrong (Score:2)
Re:Plain wrong (Score:2)
As I said, under any x86 UNIXy system (like Linux), you have a data segment and an exec-segment that have the same linear adresses, spanning all of the linear adress space. This means that you more or less entirely bypass the segmentation system. This method of bypassing the system is even described in the Intel manual, with reference to porting mainframe OSes! In this model, CS is allways equal to the segment descriptor with the exec flag set, and SS/DS/ES/FS/GS the one with the write/read flags set. All access control (read only or read write) is then done in the page system, where there is no notion of execution.
If you don't beleave me, check out the Pentium manual [intel.com], page 108, figure 4-1 (Not the same as the hardcopy I refered to before, this is for the Pentium, not Pentium Pro, but this particular thing haven't changed a bit).
Re:Flash is a piece of shit (Score:2)
Perhaps it does that now, I don't care. It's (a) a security risk, (b) an unnecessary piece of shit (as previously stated.)
As you can tell, Macromedia annoyed me with this. But this also goes to a bigger, more serious issue - that of one-click downloads and updates of software on user's computers. Most users aren't able to make an informed choice about the software they're "choosing" to download. They just want to see the latest shiny thing on the website they're looking at, or get the latest update to anything from Winamp to their IM client. While this is a marketer's dream, it's a security nightmare. As the macro virus holes in software like Office are slowly closed, downloadable Web widgets are likely to become the next major virus delivery channel. And you can't trust "name-brand" companies like Macromedia, as this buffer overflow bug proves.
So don't give me "People, you're not even trying." I'm not trying, I'm succeeding, in following and promulgating successful security policies.
Flash is a piece of shit (Score:2)
Dunno 'bout ya'll... buuuut (Score:2)
It was lame and useless... *shrug*
Yeah.. I'm on DSL and it only takes 10 seconds
for an Obnoxiously large web-site to load.. but I sure miss
Those REALLY nicely formatted sites that loaded
in ONE second using Lynx and a 28.8 connect.
Shockwave is like those metallic ribbons you
find hanging from the ends of the handle bars
on a girls bike. They may look pretty and be
entertaining to a simpleton with the IQ of jello
but they really don't serve any useful purpose.
Re:it's the content that matters, and ONLY content (Score:2)
If you want to market to me, the same still applies: "Just the facts, ma'am." If I have to wait 10 seconds for some fancy graphics/animation/whatever to download, I'm more likely to click "back" than to patiently wait to be spoonfed a commercial that substitutes flash for content.
It is not uncommon for me to go to sites specifically looking for product information and leave without that information because I don't feel like waiting for the dog'n'pony show to finish. Those vendors lose my business.
Same think with other kinds of site. ABC news used to have a decent site, but they "upgraded" it to make it more commercial friendly at the expense of making it hard to skim the headlines. I haven't been back since the "upgrade", so now I don't see any of their commercials.
--
Re:it's the content that matters, and ONLY content (Score:2)
Trust me -- in online marketing terms, Click Here [slashdot.org] works, and that's the sad part.
Click here to learn how to make money on the web. (Score:2)
Stupid question... (Score:2)
Has there every actually been an actual and successful exploit using a buffer overrun that caused anything other than a GPF/segfault?
There's a lot of heat and noise about the sieve-like quality of software security of Internet software, but is it _really_ that much of a risk?
(Which isn't to say it shouldn't be addressed with all haste)
Rick
Due to a Y2K bug, all Y2K bugs occurred on 1 January 2001.
MY GOD (Score:2)
Re:Need Linux Multimedia DHTML/Flash Clone (Score:2)
DHTML is a generic term to describe a lot of different things, like "object-oriented" or "open source." DHTML is not a specific technology. It is a collection of several standards: CSS, JavaScript and CSSP. And furthermore, you already have an "open source DHTML" project. It's called Mozilla.
If you're saying you need a open source Flash clone, take a look at SVG: XML-based vector graphics. It's supported by W3C and Adobe (amongst, others).
- Scott
------
Scott Stevenson
Mod Up + Karma whoring: Gabocorp (Score:2)
Re:buffer overflows--again? (Score:2)
For thouse that don't understand what I'm talking about....
Stack overflows take some simple data like this:
char name[25];
something_broken_like_gets(name);
Now when you feed in a string like "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Re:no exploit (Score:2)
Re:buffer overflows--again? (Score:2)
Re:no No NO! Pitiful excuses! (Score:2)
Re:Without pointers you are not Turing complete (Score:2)
Re:buffer overflows--again? (Score:2)
Wrong group (Score:2)
Re:Is it possible... (Score:2)
Re:"How long, O Lord?" (Score:2)
Re:hmmmm... (Score:2)
Re:hmmmm... (Score:2)
Re:Plain wrong (Score:2)
Re:Plain wrong (Score:2)
char *p;
...
*(p++) = 'A';
...
Now how do you know that p is pointing to the data segment or to the stack segment? You can't. Maybe you can define a new kind of pointer (called a "far" pointer in borland compilers) that contains the segment descriptor in the pointer. But unfortunately you'll have to get the segment descriptor out of the pointer and put it into a segment register before you can do it.
Re:"How long, O Lord?" (Score:2)
Re:Plain wrong (Score:2)
Re:Plain wrong (Score:2)
General Question about Bounds Overflow issues (Score:2)
- Progams are written in C, which doesn't like to do bounds checking
- Programmers turn off bounds checking, because it slows things down too much
- It's too difficult to do bounds checking code that works cross-platform
- Bounds checking isn't a language feature, it belongs in the OS
- Because OS designs tend to be flat, non-object-oriented, this will be a problem forever
- Mike... you just don't have a clue... the real reason involves Natalie Portman, Nudity, and Hot Grits
Well... what's up? Why have I never had this problem with my stuff? I do my programming in Delphi under Windows.--Mike--
Not one sentence...... (Score:2)
Re:Oh great... (Score:2)
Re:it's the content that matters, and ONLY content (Score:2)
Does this affect both types of Shockwave plugins? (Score:2)
So, from the fact that Neal mentions running it on Linux, I'm pretty sure he means the regular Flash player is vulnerable... but how about the other Shockwave plugin - the one that plays both Flash and Director files? Since he only refers to crashing it with SWF files, it's not clear to me whether he means the other plugin is vulnerable - and if it is, could it be crashed with a DCR file?
Full Disclosure (Score:2)
Yes, I know there are some shining exceptions. But I think that generally, unless a company has a clear track record of working with outsiders to fix holes in a timely fashion, anybody discovering an exploit should post it to bugtraq immediately. Vendors like Macromedia don't deserve the courtesy of advance notification, especially when it leaves huge numbers of machines vulnerable for months.
Re:Its not only content! (Score:2)
Ah yes, the drooling morons theory, commonly held by cynical techies. The problem is I have yet to meet one of these drooling morons. The non-tech savvy people I've seen surfing the web are easily confused and intimidated by complex, flashing, javascript-infested sites. They like simple fast sites like Yahoo, and above all sites that make them feel in control.
I agree there is some delta between the geeks and the normals - the normals seem to like one chunk of info per page, with clear navigation to access sibling, parent and child chunks of info. The geeks like lots of info on a page so they don't have to interrupt their info uptake for a page load.
Entertainment? Are you sure? (Score:2)
Re:it's the content that matters, and ONLY content (Score:2)
Who survived the e-commerce bloodbath? Amazon comes to mind - flashy perhaps, but info-rich with reviews and easy searching.
It's worth remembering that most attempts to "cash in on those knee-jerk, primitive instincts" ended up losing money. Maybe people aren't as primitive as merchants think.
Re:it's the content that matters, and ONLY content (Score:2)
I'd like a smarter lynx, that could among other things collapse these navbars into something like a listbox, so it would become only one element to skip past when you don't want it.
Re the unfriendly frameset issue, I wish designers would use something like:
I think the invitation to upgrade your browser is a poor idea because most people running a non-frames browser in 2001 are probably doing it on purpose, and there's no sense driving visitors away to do some other task, after which they'll probably forget to come back.
Re:Why Slow Response from Macromedia? (Score:2)
Generically, that describes any buffer overflow exploit that hasn't been perfected yet. If a program has a buffer 100 bytes long with no checking, and I feed it a 10M string, it will almost certainly crash. My string will have overwritten part of the program with instructions the CPU probably doesn't like. With enough work, I can design a string that puts some properly written machine language in a location the program will call or jump to. Thus, I can execute arbitrary code with the same privileges as the program.
Re:It could be much worse than what you described. (Score:2)
Re:hmmmm... (Score:2)
Re:General Question about Bounds Overflow issues (Score:2)
Its very different when you talk about commonly used net plug-ins and their technologies (Media Player, Flash, Active-X).
What this proves at the end of the day was that the original Java Architects were 100% correct. Security has to be designed in by peopel who really understand it-- it cant be kludged on as an after-thought.
Why Slow Response from Macromedia? (Score:2)
Re:it's the content that matters, and ONLY content (Score:2)
Not that it invalidates any of the points made, though...
Re:unable to close the hole .....Eurika! (Score:2)
Rich
Re:it's the content that matters, and ONLY content (Score:2)
anything that says UNDER CONSTRUCTION
What if the site is about something else that's under construction, such as a software package? What would a building construction company do?
clear 1X1 pixel gifs used for spacing with alt tags that say "spacer"
I agree here. Ditch the spacers except in Netscape 4.x which can't render CSS; even then, a spacer's alt tag should be alt=""
don't use javascript to display text
How do you generate dynamic content if you aren't paying big bux0r$$$ for access to a cgi-bin folder? The only way is through client-side EcmaScript or Java technology.
websites that play music
So are you saying that web-based interfaces to the Napster service are unacceptable? Sometimes, the music is the content, but I see your point when the music is there just for flashturbation[?] [everything2.com].
websites that try to determine your browser type and give you messages about needing a different browser - deal with what I have. You're in no position to require me to do anything.
Even piece-of-crash Nutscrape 4.x?
more than one animated gif on a page
I agree here. Animation should be used with moderation; even then, it should be done using PNGs and EcmaScript (or MNGs in 6.0 browsers), not GIFs [burnallgifs.org].
I'd like to add one more: right-click traps[?] [everything2.com]. See also the Right-Click Trap Shit List [8m.com].
Tetris on drugs, NES music, and GNOME vs. KDE Bingo [pineight.com].
Re:it's the content that matters, and ONLY content (Score:2)
I've tried to send complaints to some of these folks. Usually they don't have a feedback link. When they do, they never care that the page doesn't work. I usually send an email when the site doesn't work with javascript disabled. Often times it's just a pull-down list that jumps you to a certain part of the site automatically, and lacks a little "go" button next to it.
They could not care less. When they do respond, it's usually "Javascript is required". One of the really good recent examples I recall is the search page at iwon.com [iwon.com]. If javascript is disabled, you get a blank page with only their logo in the corner. They didn't seem to care when I mentioned that every other search engine/portal works without javascript. If you're up for a challenge, try poking around at iwon.com's site to find an email address or feedback entry page. They obviously don't want to hear from their users.
Oh great... (Score:2)
GPL-ed Flash plugin for Linux (Score:2)
The player doesn't look like it is being actively developed, though maybe someone out there [mailto] is interested?
Re:hmm (Score:2)
See, this is why buffer overflows are common. People make mistakes on the end of the buffer. A 100 byte line will cause the overflow (\0 on the end)
How about revocation certificates? (Score:2)
For things like PGP keys, you can issue a 'revocation certificate.' This is something that's generated from the private key and a user can look at it, look at your public key and see that indeed, you made the certificate and intend to say that "this key should no longer be used."
For all practical purposes, without the private key it's impossible to forge such a certificate, in the same way that it's practically impossible to go backwards from a public key to the private one (without the resources of, say, the NSA or distributed.net).
Given that with things like Windows and Flash, it seems inevietable that these programs are going to make contact with their makers occasionally (be it to check for updates, download banner ads, espionage or whatever), why not allow the parent site to send out a revocation certificate? If the software is designed to check for a certificate and refuse to function, then what might happen in this scenario is within the next few days, all Flash users receive a popup the next time they run Flash that says
Given that this sort of thing will probably end up happening anyway for other reasons (ie forced obsolescence), why not put it to good use as well?Re:Exactly... (Score:2)
Isn't this unnecessary? I'm under the impression that Flash files get loaded automatically once someone already has the plugin. So all that's really necessary is creating a page that people will go to (porn works well) and placing the flash file in question on it.
Or crackers could place the evil flash file on a popular web site in addition to or in lieu of the general vandalism that takes place.
New Metallica Version of Camp Chaos Cartoons! (Score:2)
You can use this problem to "execute arbitrary code stored in the SWF file".
Uh-oh.
Watch out for new Metallica versions of the Camp Chaos [campchaos.com] cartoons!
"Hey! This is, like, you know, Lars Ulrich from Metallica, and we've got a few choice words on Napster. At this very moment, we're, like, deleting everything with an MP3 extension on, like, your computer. And, like, every filename with the word Napster in it. James learned Linux for you!"
"Linux GOOD! Fire BAD! Napster BAD!"
"Finally, like, we think you hackers and computer nerds that we used to beat up in high school are, like, pretty cool with us, 'cause, like, without you guys, we'd have had no clue, like, no fucking idea, like, how to stop all the money grubbers sharing our stuff with Napster. I mean, we put blood, sweat and motherfucking beers into our music!"
Re:hmmmm... (Score:2)
--
Develop standard HTML,test it in standard browsers (Score:2)
I have designed dozen of websites and targetted my hand-made code to my test browser.
I actually saw many differences according to the visitor's web browser except in one case : Fresco [ant.co.uk] is a web browser aimed at RiscOS [riscos.com] platforms.
Whenever optimizing my code too look properly on it, it usually looked the same on all the popular browsers.
Bottom lines : neither java nor javascript, nor SSL but in this case you can still choose another popular RiscOS browser such as Webster [demon.co.uk]
Maybe there is a need for web developpers to learn to code in standard HTML, especially when I see the crap generated by most HTML-generators (yuk
Finally, Fresco was developped for Oracle's Network Computer, which first prototypes were developped by Acorn [e-14.com].
--
Re:hmmmm... (Score:2)
--
Re:unable to close the hole .....Eurika! (Score:2)
sig:
Re:hmmmm... (Score:2)
There still may be danger, even if you're running your netscape application as a dummy user. Since you have to grant that user access to your X display, there may be security faults/features in the X server itself to which you're now vulnerable.
X authentication exists for a reason... if you override it, be sure you understand the risks :-)
What would happen?? (Score:2)
Platforms with **NO** Flash Plugins (Score:2)
I agree with the KISS principle of website design. Maybe we'll be lucky - someone will exploit this bug, and then someone will sue Macromedia and they'll go bankrupt and there won't be any more FlashTrash. (Unfortunately if that happened, Micro$quish would buy them out and integrate Flash into Windoze - they could replace the "Active Desktop" with the "Hyperactive Desktop"!!)
Is it possible... (Score:2)
Yet another argument for open source software...
Re:Hmm. Maybe there is neat uses for this (Score:2)
A malicious website could say, gather information about a person's computer with an innocent looking form (this would be the nit-wit factor here) and use it to create an on-the-fly generated Flash animation that knows exactly what to do to nit-wit's computer.
Or, with that previous Netscape JVM bug, generate a file-list from the user's computer, and then use the Flash plugin to delete/corrupt the exact location of files. This wouldn't even need the nit-wit factor.
And like, I'm not very smart, so there must be way better ways to mess people up with this.
And have I disabled flash? I'll do it tomorrow...
Hmm. Maybe there is neat uses for this (Score:3)
Many embedded web browsing devices ship with support for Flash. Maybe this overflow could be used to execute any code on those boxes if it was not possible otherwise. E.g. just load shockwave movie from http://linux.boot.org/ and your box will boot to Linux. Would not that be cool?
Now, think what we could do with a beowulf cluster of Flashed computers. This will give whole new meaning for flashing new applications.
Re:buffer overflows--again? (Score:3)
ahah! (Score:3)
those nefarious bastards!
FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network
CSS crashes Netscape or is illegal in USA (Score:3)
No, it is completely NOT necessary with css.
Unless you're selling DVDs, you don't have to worry about CSS issues.
Oh, that CSS. Cascading style sheets. The one that crashes Netscape 4.x, one of the most popular browsers on the Net (because Mozilla won't run well on their 32 MB machines). If you're using CSS layout, you may want to use a DeCSS filter [pigdog.org] to remove the formatting for those who are behind Nutscrape.
Tetris on drugs, NES music, and GNOME vs. KDE Bingo [pineight.com].
Bummer..... Not many will care... (Score:3)
Easier way of updating browsers? (Score:3)
The Windows update utility will fix this more some Windows users, but again, most users aren't using the latest version, or they'll just cancel the download.
Are there any really good ways for a browser to be kept up to date without causing too much trouble on the users part or sacrificing any security (for the anti-Microsoft paranoids)?
Comment removed (Score:3)
No one cares (Score:4)
Hardly anyone who does Flash even knows about, let alone cares about Linux support.
The two major consumer platforms are well supported (and exploited, now!
and Linux still holds a tiny amount of market share.
Not to mention hardcore Linux users will occasionally drop into 'doze or MacOS to browse,
simply because Netscape sucks SO much.
(Konqueror, on the other hand, is really getting there. Even supports Flash.
IIRC, keyboard navigation *IS* possible in Flash, but it has to be authored in, which most people neglect to do.
-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.
Once again, the average Flash author will prolly think 'X' is some pr0n reference.
X platforms simply don't have enough market share for Random Webdesigner to care about - as long as (s)he hits the target audience and gets paid, (s)he's happy.
The Flash player is definately a buggy piece of software, but I've had far less
lockups and far more speed with Flash than with Java, so I really can't bitch about stability too much.
The buffer overflow is *extremely* careless tho...hopefully Macromedia will fix it soon.
--K
Glad I Haven't Installed Shockwave (Score:4)
I've been meaning to install Shockwave on my Linux box to look at all the fancy things everyone else gets, but now I'm glad I haven't done so yet.
Once common misconception about Unix security is if something doesn't run as root, any possible exploit is not important. A Shockwave player compromise can still read your mail, get/alter your files, even ptrace Netscape or ssh and grab your passwords. Doing as many things as possible under a non-root user is good practice, but does not solve all problems.
Re:unable to close the hole .....Eurika! (Score:4)
c:\windows\system\macromedia
it's now been sent to
This is fairly old (Score:4)
http://www.securityfocus.com/bid/2162
Cheers
"How long, O Lord?" (Score:5)
When are developers going to wise up? Or do we still have a world full of developers who've never heard of the concept "buffer overflow", and thus don't know they should be taking precautions.
I know there are subtleties of security that won't be cured by a silver bullet, but BOs are discovered almost daily, and unless you're a hermit that never hears about any of those discoveries, there's not much excuse for publishing a program with a BO in it.
[Writer crosses fingers hoping not to be the next person to publish one!]
--
it's the content that matters, and ONLY content (Score:5)
Spend your time on content, and when you've got good content, add in features... but don't ever trade off usability or accessibility for 'animated pull-down menus with sound and all sorts of mouseover hoopla' that won't work with anything but the latest browsers.
Use lynx and links to test your site for navigation. If you can't at least navigate your site with these tools, then it's time start over.
My personal list of website peeves:
- Click here to enter -- Duh!? I already entered the url, doesn't that mean I want to enter?
- anything that says UNDER CONSTRUCTION -- no informational value. Everything on the internet is under construction
- clear 1X1 pixel gifs used for spacing with alt tags that say "spacer" - doing typesetting with 1X1 pixel transparent gifs is a kludge that adds a lot of excess html to your docs
- more than 2 frames in a page - on rare occasion, I can stomach two frames.
- using javascript for something that could be done with standard html - don't use javascript to display text, for example
- websites that play music - saw a sig on
- websites that have all info in non-html or text formats like doc, xls, pdf, ps - Thanks for nothing - just post the info and use html or text. More info and file formats are nice, but put the info in text first.
- websites that try to determine your browser type and give you messages about needing a different browser - deal with what I have. You're in no position to require me to do anything.
- popup ads - did I ask you to open a window?
- any site that says: "Welcome to my website" - duh!
- more than one animated gif on a page
there are more, but I don't have the time to list them all. Bottom line: cut the junk and and leave the content.
no exploit (Score:5)
Re:it's the content that matters, and ONLY content (Score:5)
Good list.
My list of peves is very similar, but also includes click here [slashdot.org] links. When one glances at a webpage the links stand out. So one can usually just scan down and find the link one wants. But this doesn't work when the text that stands out is click here [slashdot.org], click here [slashdot.org] and click here [slashdot.org].
click here [slashdot.org] for Slashdot,
vs
Visit Slashdot [slashdot.org].
Flash baad (Score:5)
-Having two points on the same coordinate in any kind of vectorial shape causes a crash (something like a division by zero).
-The integration into the web browser is at best in pre alpha stage. Try resizing a .swf under Netscape in Linux and you crash within a few seconds. Under IE5 keyboard navigation on a web page becomes impossible (For people who can't use a mouse this is really a problem).
-Viewing web pages with flash content is almost unbearable on a remote X11 display and eats up the complete bandwidth. It especially pisses me off if people have flash web banners on their pages like f.ex. sharkyextreme.com.
-Specs for the newest .swf format revisions are always kept secret. Flash5 contains a JavaScript like language called ActionScript. This kind of stuff scares me to death...
hmmmm... (Score:5)
alias nsnav = "su - dummy -c nsnav"
alias nsmail = netscape
launch the mail as usual or with the nsmail command and if you want to surf (see here [slashdot.org] why you would like to), just launch navigator with the nsnav command.
Of course, you'd better use Konqueror or W3-Emacs but this was my 0.01$ bit.
--
Um... (Score:5)
This has been out for a while.... (Score:5)
Oh well, my favorite resource [securityfocus.com] has some more information here [securityfocus.com]