K-Squared Ramblings

Alphabet Soup: XP SP and EV SSL XSS!

Sorry for the lack of updates this past week. I was just way too busy prepping for our move this weekend.

A couple of interesting news bits I noticed when I got into work this morning:

It looks like I’ve been lucky with installing Windows XP Service Pack 3. I’ve had no problems with the one machine I installed it on. According to Information Week, a lot of people are having serious problems with SP3, including BSOD on AMD-based systems.

Also, NetCraft has a screenshot of a PayPal page with both the green bar of an Extended Validation (EV) SSL certificate and a cross-site scripting (XSS) vulnerability. It’s a step or two beyond the standard lock icon, but there are still limits to what an EV cert can tell you. Unfortunately PayPal and others are really trying to drum “green bar = safe” into people’s heads.

Apple UI Nitpicking

I appreciate that Apple offers a single software updater for all its free Windows software. But one thing annoys me about it.

It opens a window, then opens a message box showing a progress meter as it checks for updates. Only one problem: It fills out the “New software is available” caption before it actually checks.

New software is available… oh, wait, no it isn’t.

This isn’t an issue on Mac OS X, because the progress meter is shown as a sheet, which drops down from the top of the main window and obscures the caption. But on Windows, that caption is visible from the moment the window appears, saying that you really do have something new available, raising your hopes that maybe, just maybe, Apple has finally gotten around to releasing that new version of Safari, or that security fix for the flaw you heard about a week ago, then dashing them to the ground.

Or, less dramatically, it’s jumping to conclusions, providing potentially false information.

And then, even if it turns out there isn’t anything new, the caption stays in place…leaving you with two contradictory statements as to whether any updates are really available.

Safari on Windows

Wow. I have to admit I was not expecting this at all, but Apple has just announced they’re releasing the Safari web browser for Windows.

Increased consumer choice, of course, is a good thing. The most immediate benefit, though, is that Windows-based web developers (the majority) who haven’t been willing to buy a Mac to test their sites in Safari will be able to do full testing on all four major rendering engines: Trident (IE), Gecko (Mozilla/Firefox/etc.), Webkit (Safari) and Presto (Opera).

Also, there’s some really cool stuff available in recent versions of WebKit that will be great to have available for a wider audience.

Interesting thought: this may be the first browser released since Opera expanded to Linux in ~2000 that is available in the same version on Windows and Mac, but not Linux. Even when Internet Explorer was available for the Mac, it used a different engine than the Windows version did.

I wonder what impact this will have on the development of Swift. Its main claim to fame was porting WebKit to Windows, and it’s been months since their last release.

I also wonder what the status is on re-merging the KHTML and WebKit forks. It’s gotten to the point that Konquerer is only an approximation of Safari, making testing on Linux a little harder than it used to be.

(via Asa Dotzler)

No doubt there’s a 500-comment Slashdot discussion already.

Update: Slashdot’s all over it, and Opera Watch has a thread going as well.

Update 2: I’ve posted my thoughts on the implications for Opera. There’s an update at CSS3.info, where they have previews of upcoming CSS features available in Safari 3.

Update 3: I’ve updated the Alternative Browser Alliance to reflect Safari’s new status. This also solves a nagging doubt I’ve had as to whether the default browser on Mac OS should really be considered “alternative.” On Windows, it definitely is.

Update 4: The Webkit team and Web Standards Project have weighed in. The Windows version of WebKit should be available later today, which will be nice for following progress on issues as it moves from beta toward final version. It turns out there’s a regression and at least the Windows version no longer renders the Acid2 test correctly.

Update 5: The author of Swift says that Swift isn’t going away, and points out that “Swift renders more like a Windows Application, both in the GUI and in WebKit. Safari, looks just like OS X, similar to iTunes 6 and below.” Ever since Apple started porting apps to Windows, I’ve found something odd: A common complaint about third-party Mac software is that it doesn’t look and feel native (one of the big reasons we have Camino as well as Firefox), yet when Apple ports their own apps to Windows, it makes them look exactly the same as they do on Mac OS instead of making them work like native apps. I mentioned this to Katie yesterday and she suggested it might be a case of turnabout being fair play.

The Fall of Windows 95

Windows 95, Windows 98, and Windows Millennium Edition will stop getting security updates next month. Firefox 3, due out next year, will require Windows 2000 or later. A lot of controversy has erupted over the wisdom of these decisions.

But how many people are still using these older versions of Windows? And how quickly are they switching to newer versions?

Exact numbers are tricky to measure on the web, but trends… trends, you can measure. So, I present: the percentage* of Windows users visiting hyperborea.org using the Windows 9x series over the past three years.

As you can see, the Win9x/Me share has been dropping precipitously for at least three years, exhibiting a half-life of one year. Assuming this trend continues, it will drop to roughly 2.5% by this time next year. Admittedly still ahead of this month’s Linux stats, but then Linux doesn’t seem to be shrinking by 50% every year. This may be accelerated by Microsoft dropping security support, and by the release of Windows Vista, currently due sometime early next year.

I think it’s safe to say that the Windows 9x series is dying out.

*Calculated by summing the number of hits recorded by AWStats for Windows 95, Windows 98, and Windows ME, then dividing by the total number of hits for all versions of Windows.

Trying to update Java

The SANS Internet Storm Center remarks on the challenges of fixing Java vulnerabilities, since Sun’s installer only checks once a month by default—based on when you installed it, not on a standard schedule.

Well, it’s worse than that. My Windows 2000 box at work was easy. I just went into Control Panel, opened the Java Plugin, and told it to update. At home, on our Windows XP box, I had to go through multiple reboots just to get the installer started.

It wasn’t XP that was the problem, though: It was Norton Internet Security. First it disabled all network access from Firefox when I installed the new version. Then it blocked access to the Java updater, so whenever I clicked on “Install” it would just disappear instead of launching the installer. I resolved it (for now) by disabling Norton while I did the install…but I had to reboot in order to get as far as the first step again.

Browser War, OS War

It occurred to me today that if you lay out the three major players in computer operating systems and the three major players in web browsers, the results track remarkably well.

• Windows and Internet Explorer. The dominant player. Obtained that position by being good enough, cheap enough, and promoted enough to win a protracted two-way battle. Detractors claim the victory was primarily due to marketing and business practices, not quality. Plagued by a public perception of insecurity. Currently trying to maintain that lead against an opponent unlike any they’ve faced before. Believes itself to be technically superior to the other options.
• Linux and Firefox. Open source product with a core team and hundreds of volunteer contributors. Originally created as a replacement for a previous major player. Very extensible. Promoted as a more secure alternative, but has faced growing pains with its own security problems. Highly regarded among many computer power users, beginning to gain mainstream acceptance and challenging the dominant player. Believes itself to be technically superior to the other options.
• Mac OS and Opera. Has been there since the beginning. Constantly innovating, pioneering ideas that get wider exposure when their competitors adopt them. Very dedicated fan base that never seems to grow enough to challenge the dominant player. Has been declared doomed time and time again, but keeps going strong. Believes itself to be technically superior to the other options.

It breaks down, of course. Traditional UNIX is missing from the OS wars, though it provides a nice analogy to Netscape for Firefox. The battle lines don’t quite track either, since the previous wars were Windows vs. Mac and IE vs. Netscape. And Safari’s missing entirely. But it’s interesting to see the same three roles in play.

Who needs version numbers, anyway?

Just a day after Firefox decided to jump from 1.1 to 1.5 (triggering far more discussion than the numbering change really deserved), Microsoft has announced the official name for Longhorn: Windows Vista.

Okaaay. Yeah, I can see the connection: a vista is something you see through a window. But at that point, why not just go for broke and call it Ventanas or something?

Yeah, no one wants to use numbers anymore. It’s kind of like in the mid-1990s when it was taboo to tack a number onto the title of a movie sequel. As if having a 7 on Star Trek: Generations or a 4 on Alien: Resurrection would have scared off more viewers than the movies themselves.

Meanwhile, we’re left with yet another version name that does nothing to help you keep track of which version is newer. XP? 2003? Vista? MX? CS? Tiger, Leopard and Jaguar?

Suggestive logo

Here’s another example of using a design that suggests a logo, rather than using it outright. This is a “Win Compatible” badge from the package of a KVM switch. (I think it was from IOGEAR.)

What I like about this is that it manages to get the idea across clearly even though it doesn’t use the actual Windows name or logo. “Win” is enough to get the name across, and the overlapping colored rectangles immediately call to mind the look of Windows 2000, Windows Me, and Office 2000. Sure, it’s one redesign back, but it’s still recognizable.

As for why they made their own logo? Well, it’s all hardware, with no drivers needed, so there really isn’t any point in putting it through the OS compatibility tests. You might as well label a monitor as being “Designed for Windows.” But not everyone knows what is and isn’t OS-dependent. Even those who do are more likely to buy it if they have that reassurance. I’ve looked at devices that I was 90% certain should work with any OS, but bought the one that specifically mentioned Mac or Linux compatibility because it filled in that last 10%.

Reinventing the Upgrade Wheel

The internet is a hostile place. Viruses, worms, and worse are constantly trying to break or break into your computer. Software developers are constantly fixing the holes that can let them in. It’s become critical to keep your system up to date. Unfortunately this can be very frustrating, even for a power user, for one simple reason: you have to keep track of each program individually.

Sure, the operating systems have their own centralized places. Microsoft has Windows Update, and Apple has Software Update. But every application that exposes itself to the network directly or opens untrusted files has to be updated, and there are many that aren’t part of the operating system.

So Symantec has Live Update. Real Player has its own updater. iTunes and QuickTime for Windows can update themselves. Adobe Reader has an update function. Firefox is redesigning its update system. Games check for updates when they connect to the network.

But wouldn’t it be nice if Windows would grab the Acrobat updates overnight, instead of waiting until the next time you launched it? Wouldn’t you like to be able to patch everything on your system at once and just not worry about it? As a software developer, wouldn’t you like to be able to let someone else deal with the update problem instead of re-inventing the wheel yet again?
Read the rest of this entry »

Setting up Windows

We finally replaced our 4-year-old Windows Me computer with a new Dell (I’d had enough of building computers a few weeks ago) and it arrived yesterday. Katie had already asked me to upgrade her Mac while she made pizza for an office party. I had planned to finish installing Tiger first, but once you get past a couple of options and the EULA it’s all a matter of waiting for it to finish.

There’s something oddly exhilarating about simultaneously setting up both a Mac and a PC.

Of course I spent the next few hours registering the pre-installed software and updating everything. Run Windows Update. Reboot. Run LiveUpdate for Norton Internet Security. Reboot. Run Office Update (twice). It’s nice that Dell will pre-install stuff for you, but given that the computer is built to order, you’d think they could apply the updates before shipping.

With today’s hostile internet, it would greatly benefit not just new computer owners but the world at large if Microsoft (and Apple and Red Hat, while we’re at it) would take a cue from SuSE and Mandrake and tie their update systems into the setup process.

To Microsoft’s credit, Windows XP setup gives you a chance to turn on automatic updates, and recommends it to the point of “Well, if you really want to turn it off, you can, but you’ll be sorry!” And I’m reasonably certain Windows Firewall was turned on by default (i.e. it’s on now, and I don’t remember turning it on), though Norton supersedes a lot of its functionality. Depending on the default firewall rules, that should mitigate the impact of any worms that happen to pick your IP address before you run Windows Update.

Correction: It seems Windows Firewall wasn’t on as I thought. Norton Personal Firewall kept asking me whether I wanted to disable redundant rules (makes sense) or disable Windows Firewall entirely (I told it no—twice), so I assumed it was running. I hope it was only off because Norton was pre-installed.

Restart your computers!

Microsoft’s automatic update system is now offering an update to the Windows Installer. That’s the program that handles all those .msi files you use to install new applications, keeps track of what’s currently installed, and lets you uninstall them.

And it needs to reboot after installing?

WHY? What low-level system file did they have to change? There is a Windows Installer service, but it’s not running, and even if it were, they should just be able to restart the service. Why do I have to reboot the entire #@!$ computer because I agreed to install an update to something that isn’t running? Is the design so broken it can’t update itself?

I’ve never had to reboot a Linux box after upgrading RPM, Yum, or Apt (the equivalent software on many Linux systems). Never, in the seven years I’ve been using Linux.

And you know, it would have been nice to know that this update would require a restart before I decided, “what the heck, it doesn’t look like anything that’ll require me to restart, I might as well grab it now.” Telling me that some updates may require a restart is like labeling a box of cookies “Processed in the same state as a peanut farm.” It’s useless. It gets ignored. Kind of like this rant probably will.

Update: I’d love to make this change to the dialog box: “No, it’s not F*ing OK but you’re going to make me restart anyway!”

Subtle Update Hint

Something that could help with the ever-shrinking window between turning on a new (Windows) computer and getting hacked by some automatic probe is to just make downloading security updates part of the setup process. I installed two Linux distributions this weekend, Mandrake 10.1 and SuSE 9.2, and both did this.

What I liked about the SuSE installer was the way the option was worded. The setup utility asks you if you want to “test your Internet connection.” It tests the connection by downloading the latest release notes and checking for updates! (Unfortunately, it somehow chose an old mirror of the SuSE site—not the one I used during the installation—and the process failed.)

IE Flashback

I had to reboot one of the Windows servers on Thursday, at which point the GDI+ checker installed by Tuesday’s security fix popped up a message explaining that there was still some software with the JPEG vulnerability. OK, fine, I’ll run it again and see what’s missing. So I clicked on, well, OK, and it pulled up Internet Explorer.

More to the point, it pulled up Internet Explorer 2.0.

You see, that machine has some leftover files from a previous OS, and somehow the GDI+ utility picked up on that copy of iexplore.exe. Of course, it could barely handle the vulnerability info page — no ActiveX of course, and it even displayed raw JavaScript code at the top of the page because it wasn’t hidden inside a comment! (Even Lynx can handle that now!)

But once I fired up IE6 to actually run the test, I figured as long as I had the old one running, why not check a few site layouts? Or some browser sniffers, and see what it claimed and what it could handle?

Almost nothing, as it turns out. It couldn’t even find any of the sites I tried. And from the way it couldn’t find them, I realized exactly what was missing: it couldn’t handle virtual hosts. Read the rest of this entry »

Is XP SP2 Just a Placebo?

I thought I ought to post this link in light of my recent post about WinXP SP2 news coverage.

Via OSNews comes WinXP SP2 = security placebo?

The Register did an analysis of the security features in Service Pack 2 and concluded that it just plain wasn’t enough. Lots of services are still on by default, and as others have pointed out, the firewall only checks incoming connections, meaning once the spyware gets on your machine, the firewall won’t do you any good.

It’s an interesting read, and it approaches the issue from a completely different perspective. Rather than “It breaks stuff (which probably shouldn’t have worked in the first place),” it’s “It doesn’t do enough to fix stuff.”

To be fair, even the Register concludes that it is at least better than XP SP1, so the security isn’t all in your head. But there is the risk that people will think installing it is enough, when they still need to practice safe computing and make some effort to harden the system.

They just can’t win

Microsoft has spent the past few decades focusing on convenience and backward compatibility. As a result many of their products are so riddled with security holes that worldwide virus outbreaks hit every few months, and unpatched Windows systems are compromised within 20 minutes of being connected to the Internet. And let me tell you, Microsoft has gotten a lot of flak over this.

Windows XP Service Pack 2 represents a major shift, promoting out-of-the-box security at the expense of compatibility and convenience. So what happens? Just about all the coverage I’ve seen looks like this:

• Windows XP SP2 could break existing applications
• Windows XP SP2: Trouble Ahead for Developers, Users
• Windows XP SP2: What to do when the Windows break
• Windows XP SP2’s Trail of Broken Apps
• More Vendors Report SP2 Woes
• Is Windows XP SP2 Worth Your Pain?
• 200 apps clash with XP SP2

Come on, people. You’ve spent the last five years criticizing MS for neglecting security in favor of compatibility, and when they finally switch gears, you criticize them for that?

Certainly you should check the list of compatibility issues before installing — you should do that with any upgrade. And of course SP2 won’t solve everything, but it’ll help considerably.

I just find it amazing (although I suppose I shouldn’t) that they finally do what people have been saying they should do for years, and they still get criticized.