I am a firm believer that application-level keybindings should always take precedence over website keybindings, no matter what. Not only is this in line with the conceptual view of how the two interact, but it’s better for security reasons, take, for example, the keyboard shortcuts to access the preferences for almost all applications on OSX: Apple+, (or CMD)

Why stop with usability features like focusing the find box? Why not overwrite the keyboard shortcut for accessing the preferences for a browser, trick the website user into clicking on something he or she should not be clicking on. (Note that it requires javascript. Firefox’s popup blocker will catch it, but Safari’s does not, it also looks more realistic in Safari).

Here’s an example, a page that I’m hosting (it doesn’t do anything malicious )

Use CMD+, to open the preferences for either safari or firefox, I used firefox for this example, but I could just have easily used safari. I mocked this up in about 5 minutes, I could easily have opened a page instead of just an image also.

Did you see the fake preferences window? Now tell me how many people (non-technical users) would immediately know that this window was not the real preferences window for Firefox? What if the website had a “How-to” guide for setting a Firefox preference, and encouraged the user to “Press CMD+, to open the preferences, then click on <blah> and type <blah>”. If the website showed a picture of a false preferences panel and said “It’s perfectly normal for firefox preferences to ask for your password, enter it into the box on the ‘Security’ tab”, how many users might be tricked into doing that? You could write a guide for setting a preference that was actually a phishing site.

Comeon browser devs, don’t let javascript steal ALL the shortcuts, at least don’t pass browser-specific shortcuts to the site BEFORE handling them. (Or make it an option you have to turn on?)

Thoughts? What do you think, should websites have the ability to capture keystrokes? Should browser developers pass things through? What about a site-(white|black)list for keyboard shortcuts?

Anyone that might have read my blog for a long time might remember this post about how I do GTD (Getting To Done) on my machine(s). Well, I decided it’s been quite a while since I’ve talked about that, so I’ll go through some of my workflow, tools and quirks.

If you read my blog soley for security content, you can skip this post Personally I like to read other people’s workflows/setup to see if there is an interesting way I can fit useful tools into my own setup. Anyhow, on with the details

I have 3 machines that I primarily use. My main machine is a MacBook Pro with an attached Dell LCD monitor running OSX (what else?), the second machine is a Dell Optiplex tower running Ubuntu 8.04. The third machine is a Dell 610 laptop that dual-boots Hex and Windows. Here’s a picture of my default setup on the machines:

OSX

Ubuntu

Hex

Most of my work is done on the MacBook (my personal machine, not supplied by work), I use the Ubuntu machine for tasks that span multiple days, so I can leave a screen term logged in and attach/detach whenever I need to take my laptop home. The Hex machine is mainly used for security purposes, packet analysis, nsm-console development testing, etc.

I like to keep a pretty clean desktop, clutter really tends to irritate me. I try as hard as I can to separate everything that would be on the desktop into either a “papers”, “media”, “code” or “misc” folder. In the previous post about GTD, I mentioned that we use the Mantis ticketing system to keep track of administration tickets. We still use Mantis, just recently upgraded, you can check out a shot here:

If my firefox looks a little strange, it’s because I use the vimperator extension to give firefox Vim-like keybindings and layout. It helps someone who spends a large amount of time in a vim editor to transition quickly between text editing and web-browsing. Speaking of text editing, I absolutely love MacVim and really recommend it to anyone using OSX who likes Vim:

I’ve also transitioned from Mutt to Thunderbird, mostly because Mutt’s 2-way IMAP settings are not so great if you have to check mail between multiple computers. I use the pre-release muttator extension to give Thunderbird mutt-like keybindings:

I use the standard GTD folder naming, which mostly consists of “Inbox”, “Archive” and “Do” folders. (I hope the idea behind each folder is obvious). I still use Gmail for personal email, but can’t access it from inside the work network over POP3 or IMAP due to firewall restrictions, so I use the web client.

Instead of using iCal for meetings, like I was doing, I moved to using Google Calendar, which is aided by the notifier for events, so I don’t have to set up reminders for meetings. It also lets me share my wife’s calendar and see what she’s up to As well as google calendar, I also use gReader to browse my 222 RSS subscriptions, nothing else comes close as far as I’m concerned (yay more vim-like keybindings).

I do still use a moleskine, but lately I’ve transitioned to the next larger notebook (5′ x 7′), so that I can write out larger notes and more information (writting assembly notation in a tiny notebook gets annoying). I make use of the same sort of TODO list as in my last post ( – for an incomplete task, + for a completed task ). I take it to all meetings I go to and doodle in it sometimes I still use the smaller book for lists and small notes.

One of the things I’ve found is that despite having a widescreen 2nd monitor, the ‘wide’ part doesn’t really help any for what I do, so I flipped the monitor up to make it vertical, which is really helpful for using IDA, since I can see more instructions at once, here’s the malware I’ve working on at the moment:

Since I normally have at least 1 VM running, as well as mail, 1 or 2 browsers, X11, Adium, MacVim and any other number of things, I cut down on RAM usage by using cmus (hurray more vim keybindings) for a music playing instead of iTunes (which is such a memory hog for simple things). I also use irssi instead of a graphical client for IRC since it’s a little lighter weight:

I rigged Quicksilver up to the cmus-remote command-line utility so I can have system-wide keybindings for player control, pretty much the other thing I use iTunes for anymore is heavy music folder management (I do like that feature). I spend a great deal of time at the command-line, if you’re interested in configuration files, you can find my zshrc, screenrc, vimrc, gvimrc and nsmcrc at dotfiles.org.

Finally, here’s an overview of my basic whole-desktop setup:

My GTD process has kind of evolved into a stripped down version of the multiple-step instructions from some of the more famous practitioners (receive email, process until inbox has 0 messages, perform actions). I make up a large amount of time by unifying my tools around a certain look and feel (Vim-keybindings for everything), allowing my brain not to have to shift gears for different tasks. By keeping a strict set of rules on which application goes where (as in for virtual spaces), I always know where I can find what I am looking for (application wise). In my opinion, this adds to my efficiency more than any particular tool could have.

Well, that’s about it, hopefully you found something interesting in this post. If you have a neat tool or helpful suggestion, leave a comment below (especially if it has Vim keybindings )