On the Soapbox

From the Yahoo! press release announcing that they are outsourcing search advertising to Google:

In addition, Yahoo! and Google agreed to enable interoperability between their respective instant messaging services, bringing easier and broader communication to users.

Gee, doesn't this sound familiar? Here's to hoping that this attempt at interoperability works better than the Google-AIM one and that this brings another player to XMPP (Yahoo! seems like it would be more supportive of open standards like XMPP than AOL-TimeWarner).

Last night, the code for Firefox 3 RC1 was handed off for building, and as I type this, the first candidate builds for RC1 are being spun. I've been using the nightly builds on my test machine (actually, a VPC) for a while now. At first, it was just meant as a test installation so that I could get a feel for what the upcoming browser would be, but now I find that I'm doing more browsing on that test install in a VPC than I am on my Firefox 2 installs on the real computer. That I'm using the Firefox 3 nightlies more than Firefox 2 despite it being run in a virtual machine is a testament, I think, so how great the new version is. So what makes it so great?

1. Places: the new SQLite-based storage of bookmarks and history is much faster and allows for cool new things like the new location bar. I must admit, like many users, I hated the new location bar at first. It took a bit of getting used to and some adjustment in how I used the location bar, but now, I find it to be utterly indispensable, and it is the primary reason why I am using Firefox 3 more than Firefox 2.
2. Firefox 3 is noticeably faster and more responsive.
3. As a result of improvements such as the use of jemalloc and a new garbage collector, Firefox 3 uses less memory.
4. The new graphics backend offers various benefits, such as the smooth scaling of images.
5. Firefox 3 strives to appear more native, so it fits in better with the OS that it is running on. Of special interest to me, Firefox 3 looks better than Firefox 2 on Windows Classic.
6. The download manager has been improved. First, it no longer uses RDF and thus doesn't suffer from slowdowns when the list gets too long (the use of RDF was a perfect illustration of how too many people today are mis-using XML for things for which XML is an insanely bad idea). Second, it allows download resumption. Third, it shows a general status indicator (# of downloads and est. time remaining) in the browser's status bar so that you can keep the manager closed and still keep track.
7. The remember password prompt has been redesigned so that you could choose to remember the password after you have successfully logged in.

Back in 2004, when the Firebird browser ran into naming difficulties and a search for a new name was initiated, I quietly wished for what I knew was a nearly-impossible outcome: that AOL would relinquish all claims to the Netscape name and donate that name to the Mozilla Foundation, so that it could be used for the name of their new browser. After all, Netscape is a browser's name, and if AOL was no longer in the browser business, why would it keep the name?

There were several reasons I wished that Firebird would be rebranded as Netscape. First, the Netscape logo has always been pretty. The elegant N on a starry background and a ship's steering wheel superimposed with the constellations were beautiful and evocative of the idea of "exploring" the Internet--I remember using Netscape 1.0 and how much that branding imagery colored my initial experience of browsing the web. Second, it would be poetic, for Firebird was originally named Phoenix, and if it could be named Netscape, then that would allow it truly live up to to the intent of its name. And most importantly, it was a name that made sense. "Netscape Navigator" gave some hint at what the product does: it navigates the net.

Back in 2003 when Mozilla announced that Firebird would become their new flagship product, they also announced that the final product name would be "Mozilla Browser", and that Firebird was just the project's temporary codename. Branding discussions from that time talked about the need to reinforce the "Mozilla" name (since Mozilla's first objective has always been the Gecko platform) and the need for clarity about what the product does. The "Mozilla Firebird" name doesn't give anyone any clue whatsoever what the nature of the product. It does not matter for people who are familiar with the product, but given that Mozilla is the underdog trying to claw its way up, a name like that made little sense at the time, and even today, it still makes little sense.

But I suppose this was all in line with modern marketing styles where things are given names that have absolutely nothing to do with the function or purpose of the product. What would have guessed that "Song" was an airline? Outside of the tech-savvy minority, who the heck has any clue what "Twitter", "dodgeball", or "del.icio.us" are? On the other hand, "Facebook" and "MySpace" have names that at least hint at what it is that they do. Similarly, Microsoft and Google are consistent with their naming: "Microsoft Word", "Windows Media Player", "Google Earth", "Gmail/Google Mail" are all examples of products whose use of a generic product name helps shift the emphasis to the parent brand name and clarifies what the product itself is. "Mozilla Browser", "Mozilla Navigator", and "Netscape Navigator" are names that would follow that same pattern of sensible product names.

But alas, to my horror, it was announced in 2004 that the official product name for the Firebird project would be "Mozilla Firefox". This was wrong in so many ways. The initial reaction upon hearing that name from many people then (and still today) is, "what the heck is a firefox?!" The name was appropriate for a code name or for an inside joke, but not for a product name. It offered no clue as to what it did. It adds an extra step to the evangelism and marketing of the product because you must first explain to someone that "Firefox" is a web browser. I was also disappointed because I saw Phoenix as the rebirth of the Netscape lineage, and now the final name had nothing to do with Netscape or Phoenix/Firebird, and the metaphor was, sadly, lost.

Epilogue: With the initial success of Firefox, AOL resurrected the Netscape brand and released a couple of browsers based on Firefox bearing the Netscape name, but these releases played second-fiddle to Firefox, and Netscape slid further into obscurity. Earlier this year, the Netscape brand was closed for good. RIP...

Microsoft made an unsolicited $44.6 billion bid to buy Yahoo! today. This was not unexpected, as there have been discussions, rumors and speculation of a Microsoft buyout of Yahoo! since 2005, but it is very surprising that Microsoft would actually pursue such a course of action.

At $44.6 billion, this would be by far the most expensive acquisition in Microsoft's history and is a 62% premium over the current stock price. Is a sinking company like Yahoo! worth this price? The biggest problem with this acquisition is that neither company has much to offer the other. Does Microsoft really need two AJAX e-mail services that emulate a desktop app interface? Does Microsoft really need two search engines? Or two map services? Or two instant messaging systems (both of which have already interoperable with each other for some time now)? Technologically, Yahoo! has very little to offer Microsoft--much of what Yahoo! has, Microsoft has as well. There would be very little, if anything, to be gained from merging Microsoft and Yahoo! technologies and software, and such a move would also be extremely costly and complicated. What about talent? Microsoft has no lack of good talent, and if stories like this one about the Vista development process is any indication, Microsoft's problem isn't a lack of talent, but an organization that impedes the effectiveness of talent, in which case, how would a larger overall company and a Yahoo! demoted from independence to corporate division help with this problem? This leaves us with Yahoo!'s user base of around 130 million users per month (as of a year ago, in December 2006). Is each Yahoo! user really worth over $340? Especially since Yahoo is a company in stagnation or even decline? How would Microsoft grow Yahoo!'s user base? And vice-versa?

Ultimately, this is a terrible idea. Steve Ballmer and Microsoft's board are yahoos for proposing what could very well turn into the next AOL-Netscape. On the other hand, at a 62% premium for a fading company, Yahoo!'s shareholders would be stupid to not accept such a lucrative offer. So unless Microsoft gains some sense and pulls out of this one, this disaster is a fait accompli.

It's about time! Unfortunately, federation hasn't been enabled yet. Why this matters.

Last Thursday, as I was checking something on Microsoft Update, I noticed that I was no longer being offered WGA Notifications in the critical updates list. That's very odd, I thought. I didn't tell MU to hide the item, nor have I installed it. I switched to another computer and fired up Microsoft Update. Still nothing. In the past, Microsoft has withheld certain updates from certain locales (in fact, WGAN itself was rolled out at different times in different regions), so I wondered if, for some reason, Microsoft had disabled the offering of WGAN to certain groups of users. To check for that, I searched the update catalog for WGAN by name and by the KB number. Nothing. It wasn't all that long ago when I last saw WGAN being listed in the update catalog. Of course, people can still find it at its MSKB article and in the Microsoft Download Center, but it's through Automatic Updates and Microsoft Update that Microsoft shovels WGAN onto people's computers, and it's no longer there.

Of course, I don't care much about WGAN, nor do I care much about whether or not Microsoft is shoveling it onto people's computers. But I was interested to see what the reaction was online, so I looked around. Nothing. Nothing? Yes, I meant nothing. Not even on the once-contentious talk page of the WGA Wikipedia entry. Ever since Thursday, I've searched Google Blog Search and Technorati to see what people had to say about it. And here's the amusing thing: all my searches for recent posts about WGA Notifications turned up only rants and tirades against how evil WGAN is, about how evil Windows is, about how evil Microsoft is (though sadly, none of them recognized Jobs' much more pronounced monopolistic ambitions), etc., etc. Not that I have much love for WGAN either, but it struck me as rather odd (and amusing) that all these people ranting about how annoyed they are at WGAN never picked up on the fact that for the past several days, WGAN was missing from its primary distribution channel!

So what happened? I have no idea. Perhaps they temporarily pulled it in preparation for an update? But it is very unlike them to retract downloads prior to an update. Or have they finally recognized the cost of the bad PR and are quietly shelving it? Or is this just a temporary glitch in Microsoft Update? Guess we'll find out in time...

Normally, when I run into some problem or some sort of quirky behavior with some piece of software, I'll just curse at it, get frustrated, get annoyed, and then accept that it's just how it is. Unless the problem is fairly disruptive, blatantly a bug, or obviously something that I can fix myself, I usually don't give it much thought after the obligatory round of grumbling.

But every now and then, I do get frustrated enough at the minor quirks that I end up trying to fix it, and if it's a problem with Windows, then that means a trip to the Microsoft Knowledge Base (MSKB). It's a treasure trove, and over the years, I have almost always found a KB article that addresses the exact issue that I experienced. Yet, despite this, I have never have gotten into the habit of using MSKB. Whenever I encounter a minor quirk, I tend to automatically accept it as just a part of life, and it often doesn't even occur to me that there may be a fix for this minor thing, and worst of all, this dismissal happens automatically, without me even realizing it.

Anyway, to save power and to reduce the amount of heat produced, I often put my laptop in a sleep mode if I'm not using it for an extended period of time. The problem with this is that every time the laptop comes out of sleep, the network connection sometimes behaves strangely for a short while (less than a minute), and once I bring the laptop out of sleep, I can't put it back to sleep immediately. I have to wait a little bit before I can do that. And all this time, it never occurred to me that this is a problem that could be fixed; I had just thought that this was a natural and normal part of sleeping and waking the laptop and that perhaps the OS needs to perform some tasks after being reactivated from sleep. Well, as it turns out, KB308467 addresses this exact issue. Offers an explanation of why it happens and how to work around it. And now, I can sleep and wake my laptop without any quirky network behavior and the process is now virtually instantaneous: takes about a second to put it to sleep and about a second to wake it up. Neat, huh?

And the problem of some optical drives mysteriously entering PIO mode? Although I've had this happen to me only once, I've seen this happen to other people back when I used to moderate an optical drive forum. We never thought much of it since it was a relatively rare thing. Turns out there's a fix for that too from the MSKB...

During the Microsoft antitrust battle of the 1990's, I recall Microsoft making the point that the computer industry was volatile and that monopolies are always at risk of naturally collapsing. Their best example was IBM, which was itself involved in a long, prolonged antitrust battle in the 1980's. Except for the resources wasted in the courtroom, nothing came out of those antitrust proceedings, but nothing needed to: IBM's monopoly had naturally collapsed, largely thanks to Microsoft.

Microsoft at the time of its own antitrust trial was fond of portraying its relationship with IBM as one of a young, relatively small upstart negotiating its way through a world dominated by a large, mature, and well-established corporation. And although the relationship between the two in the early 90's were terrible, the two never really directly competed. IBM did release OS/2, but OS/2's prominence was very limited and, for the most part, the two never directly battled. Direct competition came not from Microsoft, but from companies like Compaq, who were making IBM clones. After all, IBM was primarily a hardware company, and Microsoft was primarily a software company. But if they did not directly compete, why do people credit Microsoft with IBM's demise, and why did Microsoft view itself as a sort of rival to IBM?

Although the end of IBM's reign came directly from the rise of the ironically-termed "IBM-compatible PC", what had really happened was a platform shift. The hardware was no longer the platform of primary importance; this role had shifted to the operating system. In other words, it was no longer important to buy a computer bearing the IBM brand. Any computer with any brand would do, as long as it ran DOS or Windows, because it's on DOS and Windows that everyone's applications ran on. Contrast that with Apple computers, from the Apple II to today's Macs, where the hardware and operating system are vertically integrated and thus getting the operating system that ran the software that you wanted necessarily also meant getting hardware of a certain brand. The divorce of that hardware from the operating system destroyed IBM's monopoly power, which made possible competition in the hardware market, thus destroying IBM's monopoly and paving the way for the rapid-paced evolution of hardware and uptake of the PC in the 1990's (this, by the way, is the primary reason why I am so thankful that Apple ended up being marginalized; tight-fisted vertical integration of hardware and software has long been Apple's MO, and had they been at the helm, all the fast-paced innovation of the 90's would have been largely muted, and even today, Apple's "innovations" are largely aesthetic while all the real work of more powerful hardware development falls upon the legions of generally little-known hardware manufacturers made possible by the lack of hardware-software vertical integration).

Microsoft is quite cognizant of the way by which IBM fell from its pedestal, and this was why they were so fearful of Netscape and why they launched an all-out effort to destroy it. In hindsight, Microsoft never needed a heavy-handed tactic to destroy Netscape, since, despite all the hoopla over the antitrust violations, 90% of Netscape's demise could be attributed to the fact that Navigator 4 was by far the worst, most unstable, most buggy, and most atrocious browser to have ever been widely released. Microsoft's illegal actions only hastened the death that Netscape brought upon itself. But had Netscape actually produced a decent product, and had the conditions in the 90's been right (keep in mind that broadband was rare and many people were still not connected at all), Netscape could have posed a threat to Microsoft because if applications started to move online, then it would be Netscape's browser that would be the most important platform, and the choice of operating system would be marginalized, much like how the choice of computer brand was marginalized. Microsoft knew this, and it knew that it could not repeat IBM's mistake, so they tried to protect themselves through vertical integration, so when the day comes when online applications supplant offline applications, they would be running atop Microsoft's platform, not Netscape's.

Fast-forward a decade, and we are now only beginning to see the first glimmer of the world of truly functional web applications, in a very immature state in the form of AJAX and Flash. Although online applications are still far from supplanting offline applications, for a large segment of the population, especially among newcomers and casual users, the applications that matter most are e-mail, chat, web browsing, word processing, and maybe some multimedia playback,and all of which are applications that are independent of the operating system (some, like web-based e-mail, has been OS-independent for a long time, and some, like word processing, only broke free from the confines of the OS fairly recently with the launch of Google Docs). Through the standardization of web browsers, the browser has become less important, marginalizing the safety net that Microsoft had hoped to win with Internet Explorer, and with the prevalence of broadband and a growing number of people comfortable with the online world, this is the beginning of the end for Microsoft's monopoly. The recent uptick in Apple sales is in part due to the iPod halo effect and Apple's effective cult indoctrination brainwashing marketing department, but it is also greatly helped by the fact that as more and more of the applications that people care about are located online (either because of applications moving online or a shift in the things that people care about), the importance of the operating system is reduced, thus naturally destroying Microsoft's monopoly power (note that monopolies are not necessarily bad; it's monopoly power that is bad).

By now, it should be apparent why Microsoft's CEO, Steve Ballmer, made a private remark a couple of years ago (that was later leaked to the public) about wanting to "fucking kill" Google. A young, relatively small upstart is threatening to destroy a large, mature, and well-established corporation's world by pulling the rug from underneath them by shifting the platform away. Of course, the analogy isn't perfect. Although Google is the primary gateway to the Internet (just as Windows is the primary "gateway" to desktop applications), Google is not a monopoly in part because there are far fewer networking effects conducive to the formation of a natural monopoly. In layman's terms, Google is a quasi-monopoly of choice since people use Google because they choose to and they can easily switch to another search engine to find the same sites while Microsoft is a monopoly of necessity since certain programs only runs on Windows. And if Google were to become a monopoly, it would be one with very limited monopoly powers.

Finally, what about the browser? The thing that Microsoft had so long feared? W3C standardization has helped reduce the browser to just a commodity product whose choice is becoming less and less important. Gecko, which was built from scratch from the ruins of Netscape, still clings onto the notion of the browser as a platform, and as such, it is the most powerful and robust browser engine, making Gecko almost like an OS (after all, the Firefox browser, Thunderbird e-mail client, and Seamonkey communications suite are all rendered, independently of OS, by the Gecko engine--as in the UI and controls are all handled by Gecko, much like how Windows apps are rendered by the WinAPI). Although there is the chance that the model of the browser as a quasi-OS may bear fruit in the future, I have my doubts about whether this model will take off.

I made a typo this evening and was confused when I found myself staring at a red page with Verizon's logo and a search box. It took me a few seconds to realize that some time today, Verizon had set up a DNS wildcard that was redirecting incorrect web addresses to their search portal, complete with a "helpful" message telling me that the address I entered was invalid and that perhaps I should search for what I was looking for via their search engine.

First, I wish that companies that try to pull this sort of unethical perfidy would stop trying to claim that they are providing "services" aimed at "helping" their users. That is pure, unadulterated bullshit. Modern browsers, by default, will do a search for what you typed into the address bar if a DNS error is received. There is, therefore, nothing to be gained from loading up Verizon's search page. In fact, there is much that is lost. First, if you type "szdmfewo.com" into the address bar, Internet Explorer will automatically search for that term once it receives the DNS error. Verizon does not even do that. It just takes you to a search page without even so much as pre-filling the search form. Thus, for novice users, Verizon's "helpful" scheme is actually less useful and even confusing for novices who are so used to the automatic search that they use the address bar as a sort of search box. For intermediate users, browser-based error search respects user choice. For example, you can configure it to use your favorite search engine. Verizon does this group of users a disservice by taking that choice away from them. And as for advanced users, the very idea of this sort of DNS hijacking through the improper use of DNS wildcards is an anathema. We may have programs or scripts that rely on being able to correctly detect DNS errors in order to function. We prefer seeing error pages when we do something wrong instead of some glossy hand-holding mechanism. And more than anything else, we bristle at the very notion that someone else butting in, reducing our choices, and changing things in a way that breaks the specifications under which the Internet functions. In other words, I'm fucking pissed.

To add insult to injury, Verizon has carefully hidden away all information about how to contact them for feedback. I was finally able to find a way to e-mail them--via an online form that limited the message to 70 bytes. Perhaps Verizon is aware of the torrents of unanimous protests and complaints after VeriSign and Earthlink tried DNS wildcarding. Verizon does offer a way to "opt out" of this system through a DNS server that they provide. However, these instructions are buried and are understandable only by people with a fair amount of technical proficiency. Their solution is not very elegant, either. The routers that Verizon provide their DSL customers get the DNS server addresses by DHCP, which means that they cannot be changed. Thus, in order to use the "opt out" server, each individual device on the network must be changed to use a hard-coded DNS server, which reduces the usefulness of DHCP on the network, eliminates the benefits of the router acting as a local network DNS cache, and is just a bloody pain to do. Also, Verizon provides only one DNS server, which means that people who opt out of this "service" of theirs will lose DNS redundancy.

As for the search engine itself, it is actually a meta-engine created by InfoSpace. It queries Google, Yahoo!, Microsoft, and Ask and aggregates their results. So the big search engines end up doing all the work while InfoSpace and Verizon, like leeches, reap all the advertising profit (no doubt the reason behind this "service"). InfoSpace, by the way, is a shady company responsible for such fine flotsam as Dogpile and Zoo.com. Envious of the advertising revenue of the major search engines but can't compete with them? Easy: just shove your leech engine down the unwilling throats of your customers, disrespecting and disrupting the Internet experience of your customers, and profit not from having a good product or serving your customers, but by abusing power and leeching. Despicable. Utterly despicable.

On December 20, 2006, a security company named Determina privately reported to Microsoft a vulnerability in how Windows handles animated cursors. According to Microsoft, they immediately began to "investigate" the issue in December. Not much was heard about this bug until last Wednesday when McAfee reported to Microsoft about a new attack using a previously unknown method. Microsoft then launched their incident response process and issued a security advisory the next day.

On the surface, a bug in how Windows handles animated cursors does not seem to be a very serious problem. (Edit: The following passage has been updated.) However, it is possible in CSS to specify different mouse cursors--for example, if the site owner wishes for the mouse to remain an arrow instead of turning into a hand when hovering over a link. It is thus possible to embed animated cursors on a web page or in an e-mail. Because mouse cursors are rendered by the operating system and not by the browser (the browser effectively tells the operating system to change the cursor), this is an operating system bug that affects all browsers that support the changing of mouse cursors through CSS (which is a part of the official CSS specification). What this means is that if you just visit an infected website, you will be immediately infected without the need for you to do or click anything. Or, if you open, read, or even preview an infected e-mail, you will be immediately infected even if you don't open any attachments in the e-mail. In other words, malware that exploit this vulnerability are extremely virulent. Infected websites could either be created by hackers, or they could be legitimate websites that have been discreetly compromised and hacked to deliver a payload without the website owner's knowledge (which meant that Microsoft's recommended temporary solution to "not visit untrusted websites" is not very practical because it is possible for any "good", but poorly-secured, website to become unwitting infection vectors). Once infected, anything is possible, depending on the payload delivered by the virus--including the possibility of a complete takeover of one's computer and the compromise of all data on it.

The severity of the problem grew significantly worse on Friday and over the weekend, a spam campaign was launched with e-mails that either contained a malicious payload or that had links to websites that delivered a malicious payload. Later in the weekend, a tool was made public that allowed anyone to attach any payload of their choosing to an infection vehicle that exploited this vulnerability. In response, various security groups raised their "alert level", including SANS, which hadn't raised its alert level in almost a year. Recognizing the severity of the problem, Microsoft announced on Sunday that they have a fix and that they will be releasing it on Tuesday. Microsoft always releases their security updates at the same time, on the second Tuesday of each month (known as "Patch Tuesday"), and it is only in rare and severe circumstances, like this one, that Microsoft will deviate from the schedule and release a security update early and separately from the rest.

What is most interesting about this story is how Microsoft responded. This incident never would have happened and goodness-knows-how-many computers would never have been compromised (it will be impossible to measure how many computers were infected because of the large number and wide diversity of different payloads that exploited this vulnerability, though it should be safe to assume that the number will likely be very high) if Microsoft had just fixed the problem in December instead of just "investigating" it for over a quarter of a year. Microsoft clearly didn't think very much about this problem until it was too late. Like most other vulnerabilities, this one uses a buffer overflow, and these are generally very easy to fix. In fact, on Friday, mnin.org was able to locate the exact location of this particular bug, and eEye had created an unofficial "quick-and-dirty" fix for the problem on Thursday. On the other hand, Microsoft, with their vast resources and intimate knowledge of their own code, took more than three months to "investigate" the problem. I suppose this is one of the things that makes Mozilla software more secure. Firefox is not devoid of security vulnerabilities--there has been so many that I've lost count (though still not as many severe ones as Internet Explorer), but after observing how they have handled their security vulnerabilities, it becomes clear that they take an approach that might be described as being excessively paranoid. Each vulnerability, no matter how obscure, is treated with great urgency, and most security flaws are patched within a few days of their initial reporting, even if no attacks exploiting the vulnerability exist and even if the vulnerability has never been publicly disclosed. This is in contrast of Microsoft's practice of quietly sitting on known security vulnerabilities as long as no attacks that exploit them exist and as long as a particular vulnerability has not yet been publicly disclosed, in the gamble that perhaps nothing will ever come of it. Well, this time, Microsoft lost the gamble in a very grand way, and average computer users are paying for it with hijacked systems and compromised data. (Edit: Unfortunately, in this case, because the bug is a OS-level bug, it will affect all browsers, even those not made by Microsoft, but it does serve to illustrate a different approach to such bugs that Microsoft takes.)

Update: Interestingly, a similar vulnerability was reported and fixed in 2005. See Determina's notes.

Read this recently at http://adblockplus.org/blog/speaking-of-ie-security

It could just as well read out your mail or change your mail password. It could also go into your banking account if you happen to be logged in. Information on this vulnerability has been published April last year and still unpatched in both Internet Explorer 6.0 and 7.0.

It's no secret that IE is a bad browser, but I honestly didn't know that it was this bad until just now. I had thought that with a fully-updated IE7, I'd only be vulnerable to relatively new zero-days, not something this old. With open exploits like this along with more and more computers being infected with trojans and keyloggers, it is no wonder that the official Gmail support forums are peppered with sob stories about people who lost everything when their mail accounts were "hacked".

After much prodding and insisting, I was finally convinced to install a trial copy of the new Windows Vista in a Virtual PC. After using it for about an hour, here are my impressions...

The Good:

• Nice aesthetics. The default look is definitely much better than the immature cartoony look of XP. Not that this is relevant since I never use the default look and instead prefer a custom-tweaked classic theme.
• Much better sounds; they're gentler and less jarring. However, it is very easy to copy the sounds from Vista back into XP, so this is my no means an exclusive feature.
• Nicer fonts. Once again, these can by easily copied back into XP, and in fact, I have been using Vista fonts in XP for some months now. The downside to this is that the new Vista fonts pretty much require ClearType, which I am still ambivalent about using.
• The new user directory structure rocks and is much more Unix-like. "Documents and Settings" was just too fucking cumbersome, if you ask me.
• User Account Control is a nice, much-needed security feature and should hopefully reduce the number of compromised machines joining botnets.

The Bad:

• User Account Control is moronically implemented. It doesn't always trigger when it should. There are numerous cases (such as using notepad to edit HOSTS or copying system files using batch files) where the system would just flatly deny access to something instead of popping up the UAC dialog. This is because the UAC dialog trigger is controlled by a set of APIs and the offending software has to request it. A more sensible approach would be to act more passively and pop up the UAC dialog any time UAC denies permission to anything. This makes UAC much more robust and means that software makers don't have to update their software to make UAC requests. Of course, this wouldn't be a problem if UAC wasn't even active for administrative accounts. Right now, as an administrator, there are some things that I simply cannot do because UAC is active even for administrative accounts and the non-passive implementation of the UAC dialog means that I am never even given a chance to approve an action and to override the permission denial. This forces me to disable UAC in order to just be able to perform certain administrative tasks. This, of course, poses additional problems since UAC is a system-wide setting and disabling it affects all users, not just my administrative account. How lovely. Microsoft could've solved this simply by making the UAC dialog pop up instead of denying permission. Or better yet, Microsoft could just disable UAC for all administrative accounts and make the default first account a standard user account instead of an administrator account. What is the point of making the first user an administrator if it is going to so severely cripple administrative accounts with UAC?
• This whole 3D graphics thing has been taken too far. How do I know this? When Minesweeper complains about the lack of 3D graphics acceleration. Excuse me, why in bloody hell does a simple 2D game like Minesweeper need 3D graphics? The end result? Minesweeper is excruciatingly slow and only marginally responsive. The tiles are also much bigger (and uglier, too); not good for a timed game where speed is essential.
• The bloat and the size. Clean install of Vista takes over 5GB of space.

The Ugly:

• Vista on the whole feels inconsistent and clobbered together. I suppose this is to be expected for such a large piece of software. For example, at one point in the wizard to set up Windows Mail, it asks me to press the back button to return to the previous page. But when I looked down in the lower right, there were the usual Next and Cancel buttons that one expects to see in a wizard dialog, but no back button. It took me a while to realize that the back button was nowhere near the next button and was instead in the upper left and instead of a text button, this was a graphical Internet Explorer back button. Sitting all by itself (the next button was still in the lower right). There are countless examples of these inexplicable inconsistencies all around and makes the OS just seem confusing at best and amateur at worst.
• I understand the need to make the desktop icons 48 pixels by default. It really helps the older folks reading on high-resolution screens. But did you know that you can set the icon size to 48 pixels in XP as well? In fact, you can set it to 16, 32 (the default in XP) or 48 pixels. But in Vista, regardless of whether the setting is on 16, 32, or 48 pixels, the desktop icons remain at 48 pixels, which wastes far too much space. Making the default at 48 is okay by me; making it the default and the removing the ability to set it back to 32 is just plain immoral. I have absolutely no respect for software that violate the First Rule of user interface design: the end-user is always right. Edit: Okay, so I finally found where to change this setting, but this brings up a new rant: why aren't these settings all grouped into one place (or at least accessible from one place?). Each new version of Windows seems to have increasingly scatterbrained controls, and Vista is certainly no exception! And if they are going to change the way the desktop icon sizes are controlled, then why did they not remove the old pixel-based icon size settings (which now do absolutely nothing)? Amateurs!
• While Microsoft has taken steps to make the control panel more sensible (for example, grouping once-disparate network settings together in one window), everything still feels scattered. The network controls now involve so many separate dialogs that could've been merged together that the network controls feels so much more confusing than ever before. And remember UAC? I tried looking for them in the Security Center, which explains UAC and which also displays the current UAC status. But it doesn't have anything to control UAC and doesn't indicate where UAC is. Ultimately, I had to search the help manual to find where the UAC controls actually were.
• The network status indicator in the system tray no longer opens the network status (like IP, connection time, packets in/out, etc.). In fact, even if you right-click on it, you don't get a menu item for the network status. That requires a trip to the control panel.

Conclusion:

I tend to be fairly conservative when it comes to software, but despite that, my initial reaction to Vista has so far been much more sour and unpleasant than my initial reaction to any other major new software to date. Perhaps I need to use it for more than just an hour. Also, while most people who criticize Vista then go and hug Mac OS X, I am not one of them. I am comparing Vista against XP, not against OS X, which, for the record, I dislike even more than Vista.

In any case, I actually had more rants than what is posted in this entry, but I've forgotten what some of them were (yes, I have a very bad memory); I'll update this post as I remember them.

It seems to me that as more and more people obfuscate their e-mail addresses in the form of "johndoe at example dot com", this isn't going to be a very effective method any more. For example, this Google search for "at gmail dot com" (with the quotes) yields over a million results, most of which can be readily parsed straight from the search results page. So for people who use this sort of obfuscation, does this prevent you from getting on spam lists?

This is a follow-up to this post from September.

When Google purchased a 5% stake in AOL is late 2005, it was announced that Google Talk and AOL Instant Messenger will become interoperable. However, a year passed, and there was no interoperability in sight, so many people, including me, began to think that it would never happen. After all, why would AOL open up what is arguably its most prized asset for a company with a measly 5% stake?

Well, according to Internet rumor mills on both Google's end and AOL's end, it's looking like the interoperability is going to happen this year. Better late than never, I guess.

What is most exciting about this, however, is what it will mean for the future of Jabber/XMPP if the largest IM network adopts Jabber/XMPP. And that is a big "if" because it's possible for AOL to achieve interoperability without actually adopting Jabber. The easiest way to achieve interoperability would be to set up a Jabber transport that acts as a sort of crude proxy in which Jabber users still need to register for an AIM account and where the transport basically acts as a liaison that hooks the AIM account to the Jabber account. A transport would be a superficial solution and one nullifies a number of the main benefits of Jabber/XMPP, namely the unifying of e-mail and IM addresses. The upside of transports is they are easy to implement; third-party Jabber transports that allow Jabber accounts to communicate with AIM, MSN, Yahoo!, etc. have existed for years and have been deployed by many organizations who use Jabber transports as a secure means for people on the internal network to connect to these external networks.

The other way to achieve interoperability is to make the AIM network speak XMPP. The AIM network is already "bilingual", in that one can communicate on the network using either TOC or Oscar, so adding XMPP support would simply involve adding a third parallel protocol. I am hoping that this is the solution that they are seeking because it would do much to advance Jabber/XMPP and because of the elegance of having "native" XMPP support. I think that this might be the case because of the wording of the Google rumor (though the language is ambiguous enough that it could just as easily be read the other way as well), because of how long it has taken (if they were just setting up a transport instead of doing "true" interoperability, they could have done it in a matter of weeks), and because of how nicely this fits with recent developments in the AIM network. With the launch of the @aim.com e-mail service, AOL has been getting people to equate buddy list screennames with e-mail address, pushing the idea that one's screenname is now example@aim.com instead of just example. This is the first step to paving the way for a Jabber-like paradigm. And with AOL pushing a custom domain service, they now have people on the AIM network whose screennames are not in the form example@aim.com, but are instead in the form of name@example.com. This sort of change would make a true Jabber implementation almost a necessity.

In any case, this is all just speculation. Here's to hoping that the interoperability happens the right way and that Jabber/XMPP will get the boost that it needs in 2007.

This is an interesting article from the New York Times about the recent escalation in spam. Volume has increased, and now with the pervasiveness of image spam, filtering is starting to break down. The end of the article was the most interesting:

Some antispam veterans are not optimistic about the future of the spam battle. "As an industry I think we are losing," Mr. Peterson of Ironport said. "The bad guys are simply outrunning most of the technology out there today."

It's about time people have realized this. Filtering as a way to combat spam was necessarily doomed to failure. This is because to expect filtering to eliminate spam is much like expecting cold relief medicine to forever eliminate the common cold. Antispam filtering addresses only the symptoms of spam. Furthermore, filtering works by telling the difference between spam and non-spam, which is ultimately an artificial intelligence problem. Since artificial intelligence does not exist (and even if it did exist, it would be costly to implement on a scale large enough to handle spam), filtering relies on a hodgepodge of heuristics that works only because spammers have not done a very good job of disguising spam from non-spam. It is only a matter of time before spammers put enough effort into blending spam with non-spam that these heuristics will break down completely.

The Times article also fails to recognize that spam is not limited to just e-mail. This blog, for example, is bombarded with thousands of comment spams each month. Forums, hosting providers, instant messaging networks, etc. are all targets of spams as well. Even server logs have become the target of referer spam (I get thousands of those each month, too). Even if there was a way to implement effective filtering for e-mail, spammers will just move to another medium. And what will be the cost--in terms of bandwidth, computing resources, and false positives--of continuing this endless arms race in pursuit of a solution?

It is easy for people who look at statistics saying that 90% of all e-mail is spam to despair and to proclaim that spam will destroy the Internet, but such a point of view is missing a critical point: spammers are very few in number, and they are empowered to hog the stage only because of their ability to commandeer vast resources for themselves.

Dismantling botnets is the key to dealing with spam, and from my perspective, it is the only way to "win" and to "save" the Internet. Yet, there was no mention of dealing with the botnet problem in the Times article and recent articles about combating botnets all deal with superficial solutions like tracking botnets and shutting down the command and control for botnets. However, such solutions are themselves doomed to failure because they too deal with botnets only on a superficial level. The reason why botnets get so little attention is because dismantling them ultimately requires tighter security at the level of individual computers, and it is difficult to get Joe Sixpack to properly secure his computer against botnet hijacking, so instead, the publicity and attention is put on mitigating the problems post hijacking. Why are there so sensational articles written about spam and botnets but so few about how easily it is for the average computer user to get his/her computer hacked and taken over by a botnet? So how do we solve the botnet problem?

1. User education: This is difficult and most likely will be limited in its effect, but it won't hurt to try. For starters, ISPs and major computer makers could include a prominent flyer in the products that sell of things not to do (instead of burying this information deep inside a manual that most people will never read). A national awareness advertising campaign would help a lot, too (given how much money is already being spent combating the damages caused by botnets, this will be relatively cheap).
2. Better OS security: Hopefully, Vista will alleviate this problem. However, for the large existing base of XP users, not too much more could be done. Microsoft's WGA encourages people to avoid updates from Microsoft, thus causing many computers in poorer regions like Eastern Europe and China where many computers fail WGA to be unprotected, but the damage from that has already been done, and loosening up on WGA now will only help the future Vista user base (though a loosening up now could help in the future if Vista proves to be just as vulnerable as XP). Speaking of WGA, why not implement something similar, but for security? A WGA-like system that checks to see if the OS has all the latest security patches and then nags the user when that isn't the case?
3. Network monitoring: There are some networks that monitor traffic coming out of a computer on the network for signs of infection and scan computers on the network for known vulnerabilities. If an infected computer is found to be sending botnet-like traffic or if a computer is found to have an unpatched security hole, then the computer is blocked from the network and the owner notified. This is probably the single most promising solution because, by notifying the owner of the problem, it raises the awareness of the botnet problem for the average users who are otherwise oblivious to it, and if a quarantine is used, then it will also ensure that particular computer will remain disconnected from the botnet. Such a system would be automated and could be implemented without action by the end user (unless, of course, the end user is found to be infected and is blocked). Unfortunately, very few networks of importance (i.e., the major ISPs) implement such a solution even though most of the botnet computers in the US are located one of the major consumer ISPs.

Note that government legislation is missing from my list of solutions. Contrary to its favorable description in the Times article, the CAN-SPAM Act was, quite frankly, a useless piece of legislation that did nothing except increase regulatory bureaucracy and gave the illusion that something was being done about spam. Almost all of the things hawked in spams are already covered by various anti-fraud and other criminal laws, and similarly, hacking into and commandeering someone's computer with neither their knowledge nor their permission is already illegal, so any additional botnet legislation would be superfluous. If government were to get involved, the role that it would play would be one of addressing the externality problems of botnets. ISPs currently have little incentive to implement the sort of network health monitoring I suggested above because they would bear the cost while everyone else will reap the benefits. Similarly, a user education campaign that reduces the size of botnets will help everyone who is connected to the Internet and is thus a positive externality. A government subsidy would thus be appropriate here to deal with these sorts of externalities.

This is a follow-up to this post...

Got an e-mail today about my Northwest Airlines miles. The problem? The e-mail came from worldperks.miles@mpmvp.com. WTF is the mpmvp.com domain name?! I visit the domain in the browser, and I get a SSL certificate warning because the certificate was signed for nwa.mpmvp.com and not for mpmvp.com or www.mpmvp.com (the correct solution would have been to redirect mpmvp.com and www.mpmvp.com to nwa.mpmvp.com; this is the first sign that the IT "professionals" who set this up are utterly incompetent). The site looks just like the NWA website. Okay, I understand that these companies like NWA often enter into various affiliate programs with places like points.com and it may be temping to set up the joint website on a separate domain to avoid the hassles of dealing with the NWA DNS hostmaster. But this is BS because it is trivially easy to set up a points.nwa.com zone and then delegate it (NS records) in DNS to the people at points.com so that it can be administered entirely independently of NWA's DNS. It is these utterly incompetent and appallingly stupid setups that make user education about security that much harder. Oh, and there was no SPF record either. Where do they find these idiots?!

WTF?! This is the latest addition to Microsoft's Windows Live line of products. It's Clippy reborn... except much more obnoxious... and much more useless.

Saw this hilarious post in my RSS reader this morning. What makes all this even funnier is that this so-called "obfuscation" was just encoding the script into hex, so that ridiculous table could've been done away with by just using parseInt(str,16). If someone's gonna do something dumb, at least make it an elegant 1-liner. :P

At the risk of sounding like a zealous e-mail nutcase, I am going to put my foot down and firmly declare my belief that sending large binary attachments (e.g., photos, big PowerPoint presentations, MP3s, etc.) by e-mail is simply immoral and wrong. They are, dare I say it, sinful. Here are the three reasons why attachments in e-mails are evil:

First, e-mail was designed as a way to send messages, not parcels. It was designed from the start as a way to send plain text. It was not designed as a way to send parcels of binary data because there are a number of other, more suitable, ways to accomplish that, through methods like UUCP (though it too was 6-bit), FTP, and later, HTTP, SFTP, and various P2P protocols. If one ever looked at the source of an e-mail containing a binary attachment (e.g., the "Show Original" option in Gmail or the "Message Source" option in Outlook Express), one will quickly see just how text-oriented e-mail is. There is simply no way to send binary data using SMTP (although the new 8BITMIME handling can potentially alleviate this, it is rarely ever used). As a result, binary data must somehow be encoded as plain text if it is to be transmitted via SMTP. The most common encoding used today, Base64 (other encoding methods--e.g., Uuencode--work in a similar way and suffer from the same problems), converts 8-bit binary data (base-256) into 6-bit plain text (base-64; 26 capital letters, 26 lowercase letters, 10 digits, and two other characters make up the 64 characters). This means that any binary data transmitted via SMTP automatically incurs a 33% storage and bandwidth penalty in addition to a processing penalty because of the need to encode and decode between 8-bit and 6-bit data.

Second, in addition to this overhead inefficiency, there is now a certain inelegance added to e-mail. There now needs to be a way to tell the difference between regular text data and binary data that has been re-encoded into a block of text. This is done rather inelegantly by randomly generating a string of text, checking to make sure that this random string does not already exist somewhere in the encoded e-mail, and then inserting this random bit of text as needed to serve as a sort of ad-hoc boundary between the text and attachment sections of e-mails. Coupled with the encoding and decoding, this adds a certain degree of complexity to e-mail handling software, making the e-mail handling process more error-prone and adding more hurdles to the process of writing custom e-mail handling tools. Although modern webmail interfaces and e-mail programs are now so good at handling attachments that all the underlying grotesqueness is obfuscated and hidden far away from the user, this was not the case a decade ago when it was not too uncommon to encounter problems sending, receiving, and decoding attachments (been there, done that, got the t-shirt). Just because e-mail attachments work smoothly nowadays does not change the fact that underneath the veneer, it is still an ugly bastardization.

The final argument against e-mail attachments is one of infrastructure. Unlike HTTP, FTP, etc., e-mail is not a way to directly send data between two computers. For example, when someone at gmail.com e-mails someone at hmc.edu, the e-mail first travels from the user's computer to Gmail's "server". It then travels from Gmail's "server" to a server run by the Postini company, which then scans the e-mail for viruses and also determines if the e-mail is spam (it used to be that this filtering was handled by HMC's own server, but it was eventually outsourced to a commercial company, presumably because this filtering process was overloading the system). After processing, the Postini server then sends the e-mail back to yet another server at HMC that the students can then connect to and retrieve their e-mail. That is, unless they have an e-mail forward set up, in which case, that e-mail is transmitted once again to yet another chain of mail servers. So in this scenario, in the process of getting from one person's computer to another's, an e-mail message passes through at least four (and maybe five or six if there is a forward) different servers! Aggravating this problem SMTP retransmission, there is no pipelining. A SMTP server must fully receive the entire e-mail, save it to memory or to disk, perform any necessary processing (spam checking, virus scanning, or digital signature verification in the case of DomainKeys, all of which are somewhat taxing, hence why more and more organizations are outsourcing e-mail processing), and then finally retransmit it. In contrast, when a file is passes through a bunch of routers when going from one computer to another, there is pipelining because each router does not have to wait for all the packets to arrive before sending it off to the next. While this feature of SMTP (which is what gives e-mail the robustness needed for reliable communication) is not very problematic when dealing with small messages a few kilobytes in size, multi-megabyte files are not well-suited to this form of message transmission and will result in high latencies and even delays. In the worst case, some SMTP servers will simply fail when the message size becomes too great for them to efficiently process.

Trying to shoehorn the ability to send files into a system that was never designed for such use introduces a significant inefficiency in the packaging of the message, introduces ugliness into the structure the message, and involves the use of a system of message transmission that is far from ideal for the transmission of large data. The problem, unfortunately, is that none of the other ways to transmit data is as accessible. A peer-to-peer method, such as using the file sending function of various instant messaging systems, is very efficient, but will work only if both people are online at the same time. HTTP, FTP, SFTP, etc. will work, but requires that people either run their own servers or have easy and quick access to one. Unfortunately, while companies seem perfectly happy to promote and offer an inefficient system like e-mail for transmitting large amounts of data, they often put a lot of restrictions on any proper file storage and transmission services that are offered (and usually fail to offer easy, user-friendly ways for people to upload and manage data). This is probably because people who would abuse the system by transmitting things like warez would never use e-mail because it is so inefficient and unsuitable and thus e-mail providers are generally not worried about nefarious uses of large file transmission through SMTP like they are about nefarious uses of large file transmission through other means, which is unfortunate because this is effectively forcing people to resort to SMTP.

So make this your New Year's Resolution: Try to send files via a proper medium, if possible. Oh, and while you are at it, please set the default in your webmail or your mail software to use plain text by default instead of formatted HTML mail (my three e-mail pet peeves are attachments, HTML mail, and people forgetting to use BCC for multi-recipient messages).

Together, we can help purify the Internet... either that, or at least hold out like a bunch of Luddites, but the former sounds better. ;)

On November 11, I switched on my new anti-spam system (it had been running in a test mode for a little while before that). Since then, there have been 492 comments* received by this blog...

• Legitimate comments: 9 (1.8%)
  • Incorrectly filtered: 0 (0%)
  • Not filtered: 9 (100%)
• Spam comments: 483* (98.2%)
  • Caught by filter: 476 (98.6%)
  • Not caught by filter: 7 (1.4%)

I like that there are no false positives (the old system of content filtering and post age lockout was very problematic in this area). The 7 false negatives were rather unexpected, though. This means that spammers are now going as far as integrating scripting engines in their bots (either that, or those 7 were entered by a human and not by an automated bot). Oh well. A 98.6% catch rate isn't too bad.

________________
* This is an understated number because some of the spam bots are so poorly written that they can't even fill in the right blanks; those attempts that fail basic validation are not logged by the new system and are not included in this count.

Did you know that TIME has a blog? Can you guess what the address is? blog.time.com? Nope. time.com/blog? Nope. It's time-blog.com. Instead of the usual microsoft.com/windows website, Microsoft is running ads for Windows Mobile that point users to windowsmobile.com. Chevron's ads for their alternative energy initiative point users to willyoujoinus.com instead of something like alternatives.chevron.com (and this isn't an attempt to disassociate the brand name from the campaign because the URL in the print ad appears right next to a big Chevron logo). And there was a recent pharmaceutical ad that I saw that pointed people to a domain that looked like askabout[drugname].com.

Ideally, Internet addresses that belong to the Example Corporation should be in the form of division-name.example.com or example.com/product-name or example.com/campaign-name or service-name.example.com or region.example.com (for the company's regional divisions) or something else that is located squarely within the example.com domain. But instead, companies are now using promotion-name.com or company-service.com or companyusa.com. Instead of adding new addresses to the company's main domain, they are using a new domain name for every new website that they put up.

This is annoying and bad for two reasons. First, this is semantically impure and defeats the hierarchal and organizational structure of DNS and URIs. This is organizational equivalent of dumping all your paperwork in a single box instead of filing them into different folders and drawers. But this is only a minor problem that probably only purists like me would angrily shake their fists at.

The second problem is one of security and trust. A recent article discusses how scammers are registering sites that try to fool users into inputting their login information into a fake look-alike site. These scammers would register domains like citibank-secure.com, citibank-update.com, citibank-login.com, etc.; these are addresses that look like they belong to and are affiliated with CitiBank. The obvious solution would be to educate users that anything.citibank.com and citibank.com/anything are the only legitimate addresses because they reside within the CitiBank domain and are thus under the control and jurisdiction of CitiBank. This is where the issue of trust comes in because citibank-login.com resides within the domain of .com and is thus under the jurisdiction of, effectively, nobody. Unfortunately, few people realize that, because of how DNS works, any guy off the street can create a website at citibank-something.com while only CitiBank can create a website within the citibank.com domain. This lack of understanding is strongly reinforced as people are trained to accept that sites like time-blog.com are legitimate sites owned by TIME (why on earth blog.time.com couldn't be used it beyond me; if anything, "blog dot time dot com" is easier to say and remember than "time hyphen blog dot com") and that companyname-service.com is a legitimate site owned by companyname.com, then this attempt at user education becomes futile (to be sure, it was mostly futile to begin with, but now it's even more futile). Oh well. Companies have long been shooting themselves in the foot in terms of security.

PS: There are a number of companies that do it right, however. AMD's ad campaign directs people to amd.com/lessmoney. Similarly, Xerox, IBM, Intel, and Computer Associates do the same thing with the websites for their ad campaigns. While some of Microsoft's campaigns use improper domains, most of their print ads direct people to addresses like microsoft.com/peopleready. Unlike TIME, The Economist's blog is located within their own domain at economist.com/debate/freeexchange (though they could've picked a shorter name). Finally, while Google uses gmail.com for the domain of their e-mail service because it's shorter to remember and type for the @ part of their e-mail addresses, the actual login and webmail interface is located at mail.google.com. These offending companies should take a cue from the companies that handle domain usage properly and do things right.

PPS: Now that people are accessing websites via search engines, the need for short, memorable domain names isn't nearly as important, which makes the use of a separate catchy domain name fairly pointless. Not to mention that in many cases, these separate domains can be just as hard to remember, if not more. For example, when you sit down at the computer several minutes after hearing a pharmaceutical ad, could you remember if it was askabout[drugname].com, learnabout[drugname].com, or tellmeabout[drugname].com that was mentioned in the ad? Furthermore, that drug company's rivals could register "learnabout" and "tellmeabout" in an attempt to capture confused visitors who didn't remember the name quite right. Of course, this wouldn't be a problem if the first company made proper use of its domain names because there is no memory ambiguity in companyname.com/drugname.

Edit: Another addition to the Wall of Shame: verizon.net vs. verizonwireless.com vs. vzwshop.com.

I'm starting to log the number of blog comment-spam attacks that are launched against this blog. Can you guess how many attempts¹ there were over the past 12 hours?

Answer: 66.

So that's about 5 per hour. And it extrapolates to nearly one thousand blog spams per week. There is also a very healthy IP address diversity; there are only a few IP addresses that launch more than one attempt; most of the addresses are unique. These IP addresses also span the globe and come from every continent (to my surprise, even Africa, where there aren't many computers). These are the trademarks of a botnet. And if this is what a small, obscure and low-traffic site like mine gets, I hesitate to imagine what the big blogs experience.

BTW, this is a very good article that people (especially laypeople) should definitely read because it is one of the few articles that actually paints a fairly accurate picture (vs. the inaccurate crap that comes out of the mainstream media) of what computer security nowadays is really all about.

________________
¹ None were successful, of course. :)

It seems like more any more sites are using security questions. Forgot your password? Not to worry, we'll let you log if you can answer the question, "What was your mother's maiden name?" or "Where were you born?" or "What is the name of your dog?". So on one hand, people are being instructed to create better passwords that do not comprise of any personal Google-able information and on the other hand, more and more sites are offering these weak "back-door" logins that ask questions whose answers a Google search may reveal. But that isn't what bothers me; what bothers me is most of these places require that you provide these "security" questions (what a misnomer!). Great, so now my relatives (who will know my mother's maiden name, the city where I was born and that I have never owned a dog) can, if they wanted to snoop, request for a password reset? At least some sites are courteous enough to let you specify no security question or your own custom question (in which case, I use "What is your password?"). My solution has been to create a secondary secure password for use exclusively as security question answers and to use that as the security question answer regardless of what the actual question is. But it would be much easier if the idiots operating these sites respected user choice more (i.e., make the SQ optional) so that this wouldn't be a problem in the first place.

n.b.: Some places don't use the security question as a back door, but instead as a challenge that must be answered in addition to the password before one could log in. These are, I think, legitimate uses of security questions, but it is still rather patronizing because, while most people are idiots about creating secure passwords and thus such secondary authentication is necessary for them, for people who do practice "safe passwording", this is yet another nuisance.

This NYT article was linked to on Slashdot. It's a good article, definitely worth a read for non-technical people simply because the average person knows so little about computer security. But as a technical person, I have some bones to pick with this article.

1. Shopping is probably one of the safest things that you can do when surfing from a public hotspot using your own computer. That's because almost all e-commerce websites require SSL for logins and credit card input, so the sensitive traffic is encrypted. There are some sites that don't use encryption during transactions (in which case, using your credit card on such a site in public would be very stupid), but people should not patronize such places even if they are not in public because the failure of an e-commerce site to provide (and require) SSL is a signal that they are probably not too careful with data security in other ways as well. With IE7 and Firefox both coloring the address bar for secure sites, instructing people on detecting SSL should be easy.
2. All the major services like Google, Yahoo!, and Windows Live require SSL for logins so that passwords can't be stolen. In addition, Google is pretty good about providing optional whole-session SSL for a number of their services including Gmail and Reader so that all traffic--not just your login information--is encrypted.
3. E-mail passwords for SMTP/POP3/IMAP are still generally insecure, but a lot of people are using webmail these days (which generally have secure logins), and the use of the proper e-mail protocols over SSL is increasing (e.g., Gmail requiring SSL for POP3/SMTP).
4. The best form of security is still better password control, which the article does not evangelize. People shouldn't use the same password everywhere. I use a weak easy-to-type password for unimportant accounts or accounts without encrypted logins (like my IMDb account). A much stronger password with mixed case, numbers, and non-alphanumeric characters is used for accounts with encrypted logins and sensitive personal information (financial sites, shopping sites with stored credit cards, Gmail, etc.). Finally, there is password for accounts with sensitive info but no secure logins (I try to avoid having such accounts whenever possible, and I wouldn't access such accounts from a public place). (I also have a fourth password administrative things like logging into my computer or SSHing into my home network from the outside, but there is really no reason why I couldn't use my other strong encrypted password for this.) This is a much more effective way to limit the scope of security lapses for the average user than instructing him or her on the use of VPN or SSH tunnels, and three different passwords shouldn't be that hard for people to remember. And it is easy to create secure non-alphanumeric passwords that are easy to remember, either; e.g., x*6=42=>x=7 or pass(42%)!=T are memorable, secure passwords with letters, numbers, and symbols.
5. The article broadly advocates VPNs without discussing the other ways to ensure security. VPNs are rather specialized in their purpose are generally not necessary. Oh well, what did you expect from the mainstream media?

I guess in a nutshell, the article is good because it highlights the security problems that most people are not aware of, but it then goes into a typical mainstream media overhype and proposed overcorrection. This problem is not new, and a nice solution--SSL--has existed for eons.

I have been using Firefox 2 as the default browser on my regular machines (vs. running it on a VPC test box) for nearly a month now, ever since the first candidate for RC1 was spun (yes, that's a release candidate of a release candidate), and now that it looks like that RC3 is in all likelihood going to be the final version, I thought that I might comment on Firefox 2.

1. It has a much better memory footprint. It also seems faster and snappier, too.
2. Session saving and undo close tabs are now built-in features. This is great because I used to get these features from an extension. Unfortunately, the only extension to reliably provide these features was a horrible memory leaker and was somewhat processor-inefficient. Being able to dump this extension alone was worth the upgrade, and probably contributed to #1 above.
3. New tab management. I often have lots of tabs open, and I often overrun the tab bar, so the overflow scrolling and the drop-down list is extremely useful. The close button on each tab is annoying (since I close tabs by middle-clicking) and the wider minimum tab width is wasteful, but both of those settings can be changed in about:config.
4. Speaking of about:config, there is a new hidden setting that lets you disable compatibility checking for extensions. There are many Firefox 1.5 extensions that will not install in Firefox 2.0 because the author had set the maxVersion in the extension to 1.5 even though the extension really is compatible with 2.0. This configuration setting will allow me to install these extensions without using the NTT or manually editing the maxVersion code in each extension.
5. There is a handy button to restart Firefox after installing an add-on. The new session saving will also automatically kick in during such a restart to restore all of your tabs and even what you have filled into forms after the restart. Makes installing stuff much less painful.
6. Built-in spell check. No more copying-and-pasting into Word to check for typos.
7. Much better RSS handling; live bookmarks was lame.
8. Various minor bug fixes, such as the improved password auto-fill handling.
9. I personally love the look of the new theme and the little visual tweaks that were made here and there. The old tabs looked rather ugly on Windows Classic, and this is the first Firefox where I did not have to manually re-skin the tabs in the default theme to make them look decent in Windows Classic. Now combined with ClassicFox, Firefox looks quite stunning on Windows Classic. But of course, that is a matter of personal taste.
10. Personally, I do not care much for some of the other major features added in Firefox 2. Phishing protection is useful for Joe Sixpack, but not for me (I have it disabled). I liked the old-fashioned auto-complete instead of search suggestions in the search box (which I have also disabled), and microsummaries (live titles) just seems like a novelty.

I think this is the first time since the Firebird days that I was actually excited for a new release (well, okay, I'm not really excited about it because I have already been running it for a while, but you get the idea).

Firefox drop markers in Windows Classic; before and after:

Firefox menus in Windows Classic; before and after:

ClassicFox extension for Firefox 1.5 and 2.0. For those people who use [the proper and far superior] "classic" Windows instead of XP's Play-Doh Luna theme.

It looks like LiveJournal launched a new IM service a few days ago, based on Jabber/XMPP. Hooray! (If you're asking, "Why should I care about Jabber?", read this post.)

This is a follow-up to a post that I made back in July.

As I wrote in July and as I will write now, I am not a fan of conspiracy theories. As a result, I approached the documentary Who Killed the Electric Car? with a fair amount of skepticism, but since I had not seen the film when I first wrote about it in July, I held back on passing judgment. Well, I finally got a chance to watch it last night...

1. This film takes a surprisingly balanced view in that, in addition to presenting its side of the story, it takes the time to explore and address a number of the counter-arguments as well.
2. The film seems to be more documentary in nature than some of the other politically-motivated "documentaries" in the sense that I did not get the feeling that it was frothing at the mouth with anger. It was fairly rational, and does not try to take the conspiracy too far (unlike Loose Change, which made a number of claims that bordered on the ridiculous).
3. Lingering objection: If electric cars were really that great, why did they not take off in environmentally-friendly countries? The film indicated that Toyota made electric vehicles, but they are not an American company. Why did they not introduce such vehicles in Japan? Japan's consumer base is more rational and adoring of new technology. They do not have a powerful oil industry, and their government, in certain respects, is less corrupt than ours. The same could be asked about Europe.
4. Lingering question: Is the film representative of EV1 drivers? Were most EV1 drivers really as satisfied as those portrayed or did these people represent a minority of those who tried out the EV1? I have no reason to suspect that the latter is the case, but I would be interested in knowing the answer to this.
5. Lingering objection: This still does not address the problem that our electrical infrastructure is in no way suited to handle the sort of strain that electrical vehicles would produce on a large scale. Granted, a hydrogen infrastructure would be even more costly, and the cost of upgrading the electrical infrastructure could easily be pushed off to the utilities who would stand to profit in the long run from this.

Overall, I think that the film is surprisingly good and presents the case without exhibiting much of a tin-foil-hat syndrome. Go watch it.

Part I: Fun with Malware

According to my server logs, it would appear that one of the images from my gallery has become the background image of a number of different MySpace profiles (these are total strangers who probably found the image through an image search). So I thought that I might as well amuse myself by looking at these log entries. For example, while there is a significant number of people who visit my blog using alternative browsers (though they are still a minority), virtually all of the people who access the MySpace profiles that embed my file as a background are still using Internet Explorer.*

This glimpse into browsing habits of the "normal" world is not particularly interesting, except for a few entries that caught my eye. These entries had a user-agent string of Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; SpamBlockerUtility 4.8.0). How odd, I thought, that that someone would have a spam blocker add-on installed for a web browser. As I expected, Google search results indicate that this "SpamBlockerUtility" add-on that this particular person had is indeed malware. I then went to SBU's website for the heck of it and quickly discovered that this is the Mark Foley** of software in terms of hypocrisy. It describes spam as "harmful and irritating" (it is funny to see a malware company say that) and that by blocking spam, it can save bandwidth (right, because client-side spam software can now magically block spam on the server side; and what about the adware bandwidth?). But the fun doesn't stop there! They also bundle such useful and relevant things like a thousand different emoticons to make your e-mails "cool" (no doubt a bundling agreement with one of the malware companies that specializes in those emoticon toolbars). Their website even has a section on helping users with installation problems: it instructs people on how to log in as an administrator. Anyway, I had a great laugh looking through their website. Unfortunately, as evidenced by these log entries (and by the even larger number of IE systems that have "FunWebProducts" installed), there really are people who fall for these things.

Part II: Kernels, Anti-Virus, and the European Union

As reported by Slashdot, Microsoft, under pressure from European antitrust officials, is opening kernel-level access for third-party anti-virus packages, like McAfee and Norton. The Washington Post article frames this as an issue of anti-trust, which is incorrect (and the officials in Europe are equally confused about this matter). The heart of the matter is that Microsoft locked down kernel access in Vista, and now the makers of Norton and McAfee are complaining that this is an attempt to lock them out of providing anti-virus for Windows.

1. There are other (better) third-party anti-virus makers who have made their products Vista-compatible without needing to get through the kernel lockdown. Most importantly, even Microsoft's own anti-virus package does not require or get kernel-level access. So how exactly is this an antitrust issue?
2. The whole point of the kernel lockdown was to make the system more secure by limiting the amount of system access that any piece of software could have. This is the digital equivalent of allowing law enforcement officers to freely break the law.
3. Norton AntiVirus does not exactly have a great track record and can sometimes cause more problems than it solves. Kernel access? Bad idea.
4. Real computer security does not come from anti-virus. It never has, and it never will. Real computer security is accomplished through educating the user. Anti-virus is snake oil: at best, it is a band-aid; at worst, it is poison.

________________
* And people wonder why most geeks have so little respect for MySpace...

1. One should not use a photo as a background image on a site, at least not without first editing it to soften the contrast; these MySpace users appear to lack a basic sense of aesthetics.
2. These MySpace users seem to be unaware of etiquette regarding things such as hotlinking.
3. Not only is hotlinking poor etiquette, but embedded hotlinking allows the host server (in this case, me) to log and spy on the visits to their site. For example, I could tell how frequently a particular visitor (uniquely identified by IP and UA) reloads/revisits the profile; how is that for creepy? Well, this is, after all, how graphical counters work.
4. Internet Explorer?
5. Installing a spam blocker for a web browser. Riiiight.

** Sorry, I couldn't resist; it's the fad these days, and I guess I am sometimes a slave to fashion.

It all started out as a rumor. Which the Wall Street Journal then picked up. Eventually, everyone was talking about it. I, however, did not believe in this rumor because it made absolutely no sense:

1. Google is buying a pile of liability. YouTube is flooded with illegal material that infringe copyright. YouTube has not been sued yet because they are a small independent operation with no money. If Google owns YouTube, then there is suddenly a lot of money that could be won through infringement suits. This alone makes Google's buyout of YouTube incredibly stupid.
2. Google will eventually be forced to clamp down on copyright infringement on YouTube, thus sanitizing it to something similar to Google Video. Illegal videos are extremely common and popular (popular enough to draw even Bill Gates into piracy crime). Any clampdown will effectively destroy the attractiveness of YouTube and decimate its user base.
3. Google already has a decent video service of its own. Once the YouTube user base is destroyed, Google would just have a shell of a company that is no better than its own video service.
4. There is no way that an unprofitable YouTube could be worth over $1.6 billion USD.

As it turns out, Google really did bite. Well, my criticisms still stand, and I am dismayed at this decision. This also reinforces my belief that Google really does not have much in the way of a grand scheme. If Google really did have a plan, there would not be the recent decree to their employees telling them to stop launching products and to instead focus doing things like integrating existing ones into some sort of coherent strategy. Google is a company built on accidental success (Google's CEO: "We throw it against the wall and see what sticks.") and driven by only a vague silhouette of a strategy, and this YouTube deal (which is so reminiscent of the sort of reckless drunk-on-success deals of the dot-com bubble) certainly fits that characterization.

I rarely visit Digg, but I do glance at it every now and then. One of the items on the front page last night when I decided to visit on a whim was about cars running on water. It had over 300 diggs by then, and as of this morning, the count was over 700. It's quite a high number of diggs for something that is pure quackery that should never have even made it to the front page! In contrast, when AOL offered free (well, sorta free) domain names through their My eAddress service, that got only 17 diggs and did not make it to the front page.

There is a lot of confusion over what exactly this new "Web 2.0" buzzword is all about, and the most widely accepted notion of Web 2.0 is that there is a new paradigm of user-generated content*, like blogs, "democratic" news (Digg), inane YouTube videos, etc. But there is a problem with this, as Digg has illustrated: the quality of the content of Web 2.0 is only as good as the quality of the collective, and unfortunately, this world is brimming with idiots. Of course, even places with editorial oversight like Slashdot is far from perfect, if people can remember the time when they reported on a compression scheme that could compress arbitrary random data (which, by the way, is patently ridiculous and simply impossible and can be easily proved so mathematically), but those who criticize the failure of Slashdot's editorial board will likely have a heart attack when they see what sort of things make it to Digg's front page each and every day.

Needless to say, I have little confidence in the wonders of Web 2.0. And as distasteful and politically incorrect as this may sound (esp. coming out of a libertarian like myself) there is little wonder why our Founding Fathers did not advocate the direct election of Presidents (more...).

________________
* Ironically, this what the web was about at the beginning, at least, before the dot-com gold rush; so we're actually going from Web 1.1 back to Web 1.0, but apparently, nobody likes the sound of that.

I recently noticed that both Dell and Gateway are offering RAID-0 hard drive setups. What was interesting about this was that there were only three types of hard drive options that Dell and Gateway offered: single drive, RAID-0, and RAID-1. There was no option to have a second drive without RAID.

While it is good to see companies offering RAID-1 to mainstream customers, it is surprising to see them offer RAID-0. First, nobody should ever be running hard drives in a RAID-0 setup. Well, okay, there are some situations where RAID-0 makes sense, but they are rather special and they certainly do not apply to Joe Sixpack buying from Dell or Gateway. These are people who would be unable to make much use of (or even notice) the performance boost from RAID-0, and these are also people who tend to be very lax about data backup. In other words, the average computer users that these companies are selling RAID-0 to represent a group that is probably the least likely to benefit from RAID-0 and is also probably the most vulnerable to the greatly increased risk of catastrophic data loss posed by RAID-0.

And it is not the offering of RAID-0 that is troubling, but rather how they are offering it. First, both companies label RAID-0 as "performance", and in the case of Dell, they even have a page touting the performance advantages of RAID-0. Okay, there is nothing wrong with that since RAID-0 is faster. Second, they do not post any information whatsoever about the risks of RAID-0. So not only are there no warnings presented when a user chooses RAID-0, if a user actually takes the unusual step of reading what RAID-0 is all about on the Dell website, they will not find a single word talking about the downsides of RAID-0. If a consumer chooses RAID-0 with the knowledge of the huge risk that is being taken, that is fine: it is their choice. But that is not the case if a consumer chooses RAID-0 because s/he has been told incomplete information (and before free-market advocates can criticize that sentence, I would like to remind everyone that one of the conditions necessary for free markets is symmetric information, and this is a violation of that). Third, RAID-0 is also the best possible price point. A single 500GB hard drive costs more than two 250GB drives, so the user is presented with the option to get 500GB worth of total capacity for less money and for improved performance. Who could resist? Of course, that two lower-density drives could cost less than a single high-density drive is nothing new, but in the past, people who took the two-drive option were just given two hard drives, without getting them chained together into a reckless RAID-0 setup. Furthermore, that non-RAID option no longer exists at either Dell or Gateway: if you want to take advantage of the lower cost of two hard drives, you are now being forced to take the RAID-0 option. Finally, this setup is rather prominently marketed and is being presented as a mainstream option instead of a "for people who know what they are doing" option. In the past, Dell would offer people a choice over the number of hard drives and then as a separate advanced option, they offered the user a chance to chain them together in RAID. Not any more: the RAID is built straight into the main hard drive selection. In fact, it is so mainstream that there is one Gateway offer where there was a free upgrade to the 500GB RAID-0 setup.

So why would they do this? I have a theory: over the years, Joe Sixpack has gotten drilled into his dull little mind that "C:" is the hard drive and that "D:" is the cupholder CD/DVD drive. Imagine the confusion when Joe Sixpack now has a computer where "D:" is a second hard drive and that the CD/DVD drive is now "E:". Furthermore, would Joe Sixpack really know how to use a second hard drive? In all likelihood, he will install programs to their default locations (on C) and he will save his files in "My Documents" or on the Desktop, which is also on C. And eventually, the C drive may fill up while D remains empty (preemptive note to Mac/Unix people: NTFS is perfectly capable of Unix-style drive-in-a-folder mounting; in fact, I use it extensively, but even mounting cannot completely solve this problem because inevitably, Joe Sixpack will be wondering why one of his folders is full and why the others are not or vice-versa). Now that the new Intel chipsets make it possible to do RAID without installing extra hardware, companies have realized that they can wipe away the confusion that two hard drives will cause average computer users while even touting a bit of a performance boost. Of course, the cost of this blissful ignorance is data insecurity, especially since studies show that members of the Sixpack family rarely back up the digital assets that they value the most: photos, personal documents, etc.

I wrote a Firefox extension yesterday. It is not anything earth-shatteringly great. Just a simple function that I had wanted and that I had wanted to be implemented with an extension that was very simple, small, and lightweight. There were only a few dozen lines of code, and it was more of a two-hour learning exercise.

Now what was interesting about this experience was that I got to work with something that I hadn't touched since 1998: JavaScript, and this post is mostly about that experience. But before I begin, I should do a quick backgrounder. A large number of people do not know that most Mozilla products are kinda like elaborate webpages. At the core is the Gecko rendering engine, written in C and natively compiled. This handles all the grunt work and handles things that are specific to the operating system, like dealing with graphics (GDI+, OpenGL, etc.), the file system, etc. In the case of Firefox (or Thunderbird, Sunbird, Songbird, Seamonkey/Mozilla, etc., but not Camino), the browser itself, however, is written in a markup language called XUL. Like XHTML, it is a XML-based markup language, and it works an awful lot like HTML but with different tags. And Firefox is just one really big and elaborate collection of XUL, so Firefox is in a way akin to a big collection of HTML webpages. And just like HTML, the style and layout in XUL is controlled by CSS. This, by the way, is what makes up Firefox skins: they're just a collection of CSS files and graphics, and it's the CSS files that specify where things should be placed, how much spacing there is between various items, what colors to use, what images to use, etc. The brilliant thing about this setup is that it's cross-platform. Just as a webpage will look the same in Windows as it does in Linux, the XUL user interface is equally cross-platform. And since they already have Gecko to render webpages, why not save themselves the trouble have Gecko render the user interface too? It is also brilliant in that it provides for a fairly clean separation of the front-end user interface from the back-end, and XUL+CSS makes changing the UI and custom skinning much easier than most other skinning systems because a lot of people are already familiar with HTML+CSS.

While XUL+CSS is, in my opinion, ingenious, the Mozilla way of doing things does have one soft spot. A webpage isn't just about layout and design. Function is what matters, and something's gotta happen when a user clicks on a button or selects an option or else all you've got is a pretty picture. This is where the JavaScript comes in. Yes, the Firefox user interface is powered by JavaScript. Click "OK" in the options dialog, and you're calling up a JavaScript function that saves the options that you selected. From a practical perspective, I can see why Mozilla went with using JavaScript. It fits this "webpage" style of software, it means that they can just reuse the JavaScript interpreter already in Gecko instead of scratching out a new language, it--along with XUL and CSS--makes working on Firefox and Firefox extensions relatively easy (at least compared to say, working on an IE extension; you just need a Notepad and WinZip; no compilers needed!), and it means that they can rely on the great pool of existing JavaScript programmers. But hold on a minute... JavaScript programmers?

As the name would suggest, JavaScript is a scripting language that borrows some of the style of Java (though the two are unrelated). With the rise of Firefox and with the rise of AJAX, people are starting to take JavaScript a bit more seriously instead of snickering at the very concept of a "JavaScript programmer", but that doesn't change the fact that the language is, fundamentally, a tacky curiosity. Putting JavaScript's following of Java's moronic dogma towards the OO style, the fact that JavaScript was originally conceived as a lightweight language scripting language designed for trivial frills is evident. This is a language where, even today, changing the third byte of a string requires blowing up the string and manually piecing it back together. Ugh.

Needless to say, my experience with coding up the extension didn't go quite as smoothly as I had hoped. I hadn't coded JavaScript since 1998, and I needed to check the language reference, but that's okay. Every programmer needs to consult a language reference. The frustration was just dealing with the quirks and limitations of the language itself. For example, the ability to access a character in a string using [ ] but not being able to modify it that way is a rather annoying limitation of the language, and a very counter-intuitive one at that. While there have been efforts made over the years to mend JavaScript's shortcomings, the need to maintain backwards compatibility means that JavaScript can never be truly and fully reformed. JavaScript is, IMHO, a bastard language that should have been aborted at birth, but unfortunately, it has survived. Fortunately for me, my extension was simple and short, so I only had to deal with JavaScript for a couple of hours, and since I do not intend on becoming a "JavaScript programmer", I don't think I will have many more run-ins with this language. I do, however, have some newfound respect for the poor souls who do have to do major amounts of coding in JavaScript. At least people working on the Firefox interface using XUL+CSS+JS are lucky: they don't have to deal with the fact that IE, Opera, Safari, and Mozilla all handle JavaScript differently. It's a wonder how people who do AJAX haven't jumped off a cliff yet.

It has been over a year since Google Talk was released. It has, unfortunately, not caught on. While this does not bode well for Google, the real loser here is Jabber and the entire Internet community as a whole.

What the heck is Jabber, and why should I care?

To describe Jabber, one needs to first understand the essence of the Internet. I am sure that most people have met someone who thinks that www.msn.com is "the Internet". There are many who think that the Internet is some monolithic and centralized thing, which it is not. The Internet is like a road network. Like a road network, it is composed of smaller networks and road segments that happen to be connected to each other (a country's road network contains many different local city networks and even private driveways). There is no central authority (the Federal government may have control over Interstates, but it has no control over a local residential street); instead, the Internet is an interconnected collection of smaller independent networks.

This decentralized nature of the Internet is mirrored in how e-mail works. Like the Internet, there is no central e-mail authority and there is no centralized magic hand that makes e-mails go where they are supposed to go. When you e-mail bill@example.com, the e-mail server that you are connected to asks example.com's name server what its mail exchange (MX) server is. example.com's name server might reply by saying that its MX server is located at mx.example.com. Your mail server then hands the mail over to mx.example.com, and mx.example.com then takes it from there: if mx.example.com recognizes the user bill, it will place the mail in his inbox; otherwise, it will report that the e-mail address is invalid. If example.com does not run its own mail server and instead outsources its e-mail handling to a mail service (for example, Google Apps for Your Domain), then its name server would report that its MX server is located at aspmx.l.google.com and the mail would be sent there instead. Like the Internet, there is no central authority in mail. Mail works by millions of decentralized mail servers passing messages to one another, and these mail servers know which server to pass messages along to based on