Indistinguishable from Jesse

• 66984 - Need name for new image library (rename libpr0n).
• 108816 - World War III: "What should Backspace do (or not)".
• 259207 - Mozilla firefox needs a title song.
• 261354 - RSS button looks like it says "ASS".
• 262173 - Firefox Icon Problem - new firefox icon appears to be giant red panda that is humping south america.
• 266457 - Inappropriate content in the Firefox Crew's Pick list (default bookmarks).
• 34669 comment 11 - "Fixing summary to not end with 'loads of ass' when truncated at 60 chars."

Thanks to Peter van der Woude for telling me about several of these bugs.

Part 1

Google Desktop Search is useful enough for me to keep it installed, but I wouldn't say that it works well.

Functionality

• The file I'm looking for is often missing from Google Desktop Search's index. Even the filename is missing. I can't tell if it decided to skip the file because of its extension, contents, location, or changed-on date. Sometimes touching the file gets it indexed, but sometimes it doesn't.
• It "caches" old versions of files often enough to take up disk space unnecessarily, but not often enough that I can rely on it for a revision history when I break something.
• Since Google Desktop Search is slower than www.google.com, leaving "Show Desktop Search results on Google Web Search result pages" checked makes it slow down web searches.
• It gets much slower if I add num=100 to the URLs. A search with num=100 usually takes 3 seconds. This would be ok if it streamed the results, but I just don't see anything for 3 seconds. (There's no UI for adding num=100, so it's not really fair to complain.)

Security

• "Show Desktop Search results on Google Web Search result pages", which is checked by default, elevates any XSS hole in www.google.com to a read-my-files hole.
• Google Desktop Search uses an interesting scheme to mitigate XSS and CSRF holes: it includes a hash in every URL, even the root. The hash includes the path and sometimes includes the query parameters. If the hash is missing or doesn't match, it returns "Invalid Request".
• Clicking a link to an .exe file in search results runs it without any warning.
• The web site doesn't mention the current version number. The program doesn't have a "Check for upgrades" link, and if checks automatically, it makes no indication of that fact.
• Any web page can detect whether you have Google Desktop Search running by loading an image (or perhaps any URL) from http://127.0.0.1:4664/.
• The index is stored in a predictable location. "File upload holes", which let sites read your files if they know the filenames, are common in web browsers. File upload holes that require no user interaction are usually fixed quickly. But file upload holes that do require user interaction are not always fixed quickly. Two file upload holes requiring user interaction that I reported in 2000 are still present in IE and Firefox.

My bookmarklets have appeared in print media several times:

• PC Magazine, Fall 2004 Digital Home issue: Security Watch: Revealing Passwords mentions my view passwords bookmarklet.

  KMGI focuses on Microsoft products, but we also found a bookmarklet (a piece of JavaScript you save as a browser bookmark) that's more brand-agnostic -- and free. It's called "view passwords" and is available at www.squarefree.com . "View passwords" exposes saved password text in IE, Firefox, Mozilla, and Netscape. The script also reveals hidden text in Opera, but the way that browser executes saved passwords -- by filling in the user name and password, then activating the Submit button -- prevents the bookmarklet from working, except on a very slow page load.

• O'Reilly's Google: The Missing Manual (May 2004) devotes almost two pages to my search and seo bookmarklets.
• PC Magazine (February 2004): Bookmarklets Boost Web Surfing.
• Heise c't (November 2003) has a screenshot of the result of using the "number rows" bookmarklet, if I'm remembering correctly.
• New York Times (August 21, 2003): Fishing for Information? Try Better Bait had a paragraph about the @alltheweb bookmarklet.

I have print copies of all of these except the Feb 2004 PC Magazine article. O'Reilly shipped me a free copy of Google: The Missing Manual, Matti sent me a copy of the issue of Heise magazine from Germany, and I bought the others at bookstores.

The Mozilla Foundation plans to run a full-page Firefox ad in The New York Times soon after the launch of Firefox 1.0. Spread Firefox is asking for donations to fund the ad and expenses related to the 1.0 launch.

All donors' names will be included in the ad. In addition to creating an incentive to donate, this strengthens the ad by showing that it was paid for by a large community rather than a corporation. (Why don't more political and non-profit ads do the same thing?)

I donated today. If ten readers donate through my donation link, I will be listed as a Community Champion instead of just a donor.

What new Firefox extensions would you like to see?

Some ideas for political Halloween costumes:

• Bush supporter
• Flip-flopper: wear flip-flops instead of shoes, maybe wear a Kerry or Bush mask
• Battling green eye shades (with a partner)
• Poland
• Robert Acosta

Update 2004-10-30: Other people came up with funnier ideas for political Halloween costumes and illustrated them:

• thestranger.com: 2004's Scariest Halloween Costumes
• madblast: flash cartoon with political Halloween costumes

Search Keys lets you go to search results by pressing the number of the search result instead of clicking. You can press 1 to go to the first result, Shift+2 to open the second result in a new window, etc. It works with Google, Google News, Google Groups, Google Desktop Search, and del.icio.us.

Update Oct 16, 2004: The shortcut for opening in a new tab is now Alt+N on Windows and Mac, to avoid conflicting with the Ctrl+N shortcut for switching tabs. It is still Ctrl+N on Linux, which uses Alt+N for switching tabs.

The Starcraft flyer I photographed and blogged made its way to a site called StartcraftGamers. The site has an article about the flyer and the associated research.