Wow, a pretty serious one this.

 Version 1.3 of BlogEngine.NET has a security flaw that allows an attacker to view the source code of any file in your blog directory. Update: Make that any file on your website, not just in the blog.

This includes your web.config file, sql.config file and the scariest of all, the users.xml file.

This is the file that, if you're using the default data provider (XML) holds all the user login details for your blog. That's right, admin usernames and passwords, in clear text.

This vulnerability is already in the wild and a quick search on Google reveals about 185, 000 results. That's a lot of vulnerable blogs.

 There's already a patch for this flaw, but it seems that the download link might be broken. In the meantime, as a temporary fix, you could probably rename the users.xml/sql.config file to something different i.e. hard to guess. But if you want to keep your blog online, your web.config is still going to be visible, so make sure there's nothing sensitive in there.

The other day I decided to add some really simple health monitoring to my .NET website. That is, if an error occured while someone was browsing the site, then I'd be notified about it and could fix any recurring problems.

I followed a great post by Mads Kristensen which simply involves creating a Web.config file like so:

<?xml version="1.0"?>
<configuration>
   <appSettings/>
   <connectionStrings/>

   <system.web>
      <compilation debug="false" />
      <trace enabled="true" localOnly="false" />

      <healthMonitoring enabled="true">
         <providers>
            <add name="EmailProvider" 
               type="System.Web.Management.SimpleMailWebEventProvider"
               from="you@domain.com"
               to="you@domain.com"
               subjectPrefix="Error: "
               buffer="true"
               bufferMode="Notification" />
         </providers>
         <rules>
            <add provider="EmailProvider" name="All App Events" eventName="All Errors" />
         </rules>
      </healthMonitoring>

   </system.web>
   <system.net>
      <mailSettings>
         <smtp from="you@domain.com">
            <network host="smtp.domain.com" />
         </smtp>
      </mailSettings>
   </system.net>
</configuration>

If you're adding to an existing Web.config, the bits you need are highlighted. The areas are pretty much self explanatory. First you enable tracing, then you specify the health monitoring provder that you want to use. In my case, I used the email provider, which allows you to specify the email addresses you want to send to and from, along with a prefix for the email subject line. There's an MSDN page on the trace element which gives you all the different values for these settings. For example, you may want to restrict the number of error emails that are sent to you within a minute, so that you're not getting spammed. Then finally, the mail settings is just for providing your SMTP server settings.

Anyway, the point of this post wasn't to regugitate Mads' post, but rather to point out that I had implemented this health monitoring myself, and that it was very easy to set up. However, I soon started getting some odd error emails.

These often related to the elements on my site which would not be directly accessed by a user such as the Webresource.axd file and even C# code files. It turns out that the culprit is actually the Google spider, which attempts to access these files, but because they are restricted by .NET, an error is generated. The best solution so far seems to be the use of robots.txt to exclude spiders from accessing these files.

Wow, I've not posted in absolutely ages, which just shows how interesting my life is.

There's been zero fly fishing for months, and all the web development stuff has just been boring stuff for work.

However, BlogEngine.NET has been recently updated to a new version, and now supports Widgets, whatever those are. What caught my attention was a Twitter widget. Now, I've heard about Twitter before, but never really bothered with it because it seemed pretty pointless. The basic gist of it is that it's a service that allows you to tell people what you're doing at that exact moment:

Twitter is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?
 

Why someone would want to know what I'm doing at that particular point in time is beyond me, unless they're intent on stalking me or something. So yeah, I think I might download the latest BlogEngine.NET and give this Twitter malarky a go. I'm sure complete stranger will appreciate being able to follow my every move, especially when they only come here for the TV links post.

Update: After a recent comment on my previous post, the site http://alluc.org was brought to my attention. My 'friend' checked out the site and reliably tells me that although not quite as good as TV links, it does seem quite promising. He suggests you check it out. I, on the other hand, do not condone any kind of copyright infringement :-p 

Since my previous post, I've had a large number of people finding my site after searching for Tv-links alternatives.

So, if you've found a really good alternative site, please leave a link in the comments. I had a quick look at the links provided in the comments for my previous post (for research purposes only you understand ;-) ) and none of them seemed up to scratch. Some required registration, and others seemed to slow my browser to a crawl.

So post away! I'm sure it won't be long until they start shutting down sites that link to other sites, that link to tv shows... 

It seems that www.tv-links.co.uk has been shut down, in what's apparently the "first closure of a major UK-based pirate site".

 I thought tv-links was hosted in the Netherlands or somewhere, as it has been shut down before and they moved the hosting. No doubt it will rise again like such sites do, or something just as good will come along to take its place.

The Guardian Online states that "The Federation Against Copyright Theft (Fact)  claims that tv-links.co.uk was providing links to illegal film content that had been camcorder recorded from cinemas and then uploaded to the internet. The site also provided links to TV shows that were being illegally distributed."

As has been noted about a million times previously, surely it would be more producive to close down the sites that actual host these sites...oh wait, YouTube has already paid off the MPAA and FACT, haven't they?

 Guess what people...those 2500 jobs that are to go at the BBC? It's all the fault of TV-links users:
"The theft and distribution of films harms the livelihoods of those working in the UK film industry and in ancillary industries, as well as damaging the economy," Kieron Sharp, head of FACT, said."

Roger Marles, from Trading Standards said sites such as TV Links allowed people to break UK copyright law. "The 'users' are potentially evading licence fees, subscription fees to digital services or the cost of purchase or admittance to cinemas to view the films," he added.

Perhaps if the BBC featured something other than repeats, and ITV had programmes without fixed competitions, then we might not have to go online to view programmes. Or if they hosted repeats of recent programmes on their own websites, then people wouldn't have to look elsewhere or be forced to download their (Windows-only) software to watch a tiny number of selected repeats. 

Anyway, full article from the Guardian Online is here: http://business.guardian.co.uk/story/0,,2195407,00.html

OK so it's been done before by about a million other people, including the Daddy of Usability Jakob Nielson. However, I thought I'd create my own Top 8 - why Top 8 you ask? Because, I'm an Internet Rebel and I don't conform to your ideals of Top Tens...plus I couldn't think of 10 things to write about.

The points aren't in any kind of priority order, that would just require too much thinking.

8. Not identifying hyperlinks properly.
This issue has been around for ages, but it somehow still exists. Hyperlinks that don't identify themselves as such and require the user to mouse over them to show that they're a link.

I'm not saying all links should be blue and underlined, but they should be differentiated from the rest of the text/content to an extend that I don't have to mouse over them.
I guess this could be one of those areas where design and usability seem to conflict, or more likely, it's because designers are lazy and don't understand the importance of usability.

7. Document links that don't identify themselves as such.
By document links I mean things such as links to PDF or Word documents.
When I click on a link I don't expect Acrobat Reader to suddenly start up. Who even started using PDF's online anyway, weren't they designed for printing?

Anyway, if you really must link to a Word or PDF document, please please designate it as such.

6. Contact links that use mailto: without telling me.
When I see a 'Contact Me' link, I expect it to take me to a contact form, not to open my email application.

5. Login forms which don't allow me to use the 'Enter' key to submit the form.
This annoys me so much, but luckily you don't see it that often.
You type in your login detail and then hit 'Enter' and nothing happens. Instead, you then have to move you hand back the mouse, move it to the login button (which is usually tiny) and click it. OK so maybe it's only a few seconds, but it's 3 seconds I could have spent doing something fun, like eating Jaffa Cakes.

4. Websites which play music automatically.
I can't believe these are still around! It used to be in the form of an embedded QuickTime file at the bottom of the page, but now music is usually incorporated in Flash movies. And you know who the worst offenders for this are? Design studios.
I have no idea why they do it, but I'm guessing they think it makes them look trendy and different from the norm.

The reality is that they're distracting, and remove control from the user. When you're browsing the web, you expect to be in control of the pages you see - what right does a website have to force me to listen to some crappy synthesized music?

3. Bad Flash.
When it's done well, it's very very good. But when it's done bad, it's horrid.
For example a once witnessed a Flash page transition which was lovely and all, but took about 5 seconds to complete.
Now I don't visit websites to spend my time looking at page transitions, I visit them to complete a task or find out some information. Time spent waiting for pages to transition is just time wasted.

2. Sound mouse-overs.
Unsurprisingly, this gem comes from the creators of the 5 second page transitions and if from the same website.
On the main navigation links there were sound mouse-overs, which weren't accompanied by any form of visual mouse-overs. So, if you had your speakers turned off, or were deaf...then there were no mouse-over effects.

Sound mouse-overs which are accompanied by visual mouse-overs are generally just annoying, but without visual mouse-overs, they're a major usability and accessibility problem.

1. Poorly done CSS drop-down menus.
CSS drop-down navigation menus can be really cool, and much better than any form of Javascript or Flash alternative. But in some cases they're kind of finicky, and will close as you're moving your mouse over them. Or, they're just too small and you accidentally move your mouse off them, causing them to close.

In the worst cases, menu items can prove impossible to access, because as soon as you move your mouse towards the desired link, the menu closes each and every time.

There seems to be some kind of trend recently for online applications and even websites to label themselves as being in 'beta'. I'm pretty sure this can be attributed to Google, whose Gmail has been in beta since it was publicly launched in 2004!

Why something would be in beta this long is beyond me, but it almost seems as if it's to provide some kind of getout clause for companies. If the server crashes and people lose all their data/emails, the company can just say "We told you to use it at your own risk, it was in beta afterall". Does this mean that companies can just rely on 'beta' status to get them out of trouble? If so, is this acceptable? You wouldn't buy a car which was still in testing, would you.

What do you think? Are these completely open, very long term beta tests the way forward, or do you feel uneasy using such an application?

Don't even get me started on websites that include one of those 'Web 2.0' style stars declaring it's in beta. How can a website be in beta?!

---------------

The content of this post may change in the future. It is in beta, after all. 

Yes, yes, another new blog, this time using BlogEngine.NET. I can't help myself, I keep finding nice, open source .NET blogs and I have to try them out. Then I realise they include half the stuff I've been trying to implement anyway.

The BlogEngine.NET project seems really cool. Themes are simple to implement, and so are custom controls which can be implemented using .NET's user controls.

I'm attempting to alter it slightly so that it can be used as more of a general CMS, rather than a blog. I love the fact that it uses XML for data storage, which is great for me because I only get one SQL database on my hosting. It's also written in C# so there's none of that nasty, old-fashioned VB to work with.

So anyway, if you're a .NET geek, I'd urge you to check it out. 

</ geek stuff>

The other day I saw an Application on Facebook which displays your blog posts on your profile, so I think I'm going to try it out and see if I can subject people to my mundane daily life.