Monday, December 24, 2007

rsync and cygwin on 2003 Server

I encountered the following error when trying to use rsync to copy data from a Linux server to a Windows 2003 Server running Cygwin:

rsync: Failed to exec ssh: No such file or directory (2)
rsync error: error in IPC code (code 14) at /home/lapo/packaging/tmp/rsync-2.6.9
/pipe.c(86) [receiver=2.6.9]
rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
rsync error: error in rsync protocol data stream (code 12) at /home/lapo/packagi
ng/tmp/rsync-2.6.9/io.c(453) [receiver=2.6.9]


I did a bit of research into running 2003 server and rsync and getting this error. At first I thought it was a security issues, as 2003 server does start off locked down in a way that 2000 server just didn't do.

The search for a security or firewall related cause of the problem was fruitless. I stumbled across a few posts where people were using the Windows command prompt and got rid of the error when they set the appropriate environment variable to point to the SSH binary.

Sure enough, I tried typing ssh at the Cygwin prompt, and it wasn't in the path.

I'd made the newbie mistake of forgetting to install Openssh.

I installed open ssh and the copy command started working just fine.

Friday, December 21, 2007

Interview From Hell

Ever want to slap someone you were interviewing?

Most of the violence is amusing in a cartoon sort of way, but I did find it a little disturbing that when you pour hot coffee in Kathy's lap, she kind of enjoys it... The fact that she appears to be a pyro isn't very reassuring either.

Thursday, December 20, 2007

I-35, the Highway to Righteousness and the "Purity Siege"

Dear God in Heaven, why are so many of your followers such morons?

A few Christian groups have decided that highway I-35, which runs from Canada to Mexico, slicing through the Midwest, is the focus of biblical prophesy, specifically Isaiah 35:8.

The basic idea is that these groups think I-35 is supposed to be a "Highway of Holiness" dedicated to God. To help fulfill this interpretation of prophesy they had a 35 day event where they focused on praying about the highway. They even a series of prayer events they call a "Purity Siege." The idea is to go someplace they see as "sinful" and have a prayer vigil outside,. abortion clinics, gay bars, adult video stores and the like have all been targeted.

Never mind the fact that the verse in question has nothing to do with modern highways.

The 700 Club, of course, thinks this is a keen idea, and has a hilarious if disturbing report on the phenomenon. I highly recommend the section about 2:45 into the video where a young man claims to have been "touched by the power of God" in a way that sounds more like a Dragonball-Z battle than a religious event.

One line that stands out in my mind is: "Sabil felt God moving in him then, saving him and taking away his homosexuality."

Wednesday, December 19, 2007

Strange Folks at the Office

The Setting:

I work in an office building in the Navy Yard. There are multiple companies sharing the space. Across the hall is a large, fish bowl style conference room used by, I think, a pharmaceutical company.

My office does not have a sink, but I make my own coffee using a travel French Press. This means I head to the floor bathroom whenever I need to empty the grounds. I dump the grounds in the trash (Where the paper towels already there absorb any residual liquid) and then rinse the press out in the sink.

The Event:

I left the office to head to the shared bathroom, opaque plastic French press in hand, just as the conference room across the hall was emptying. A chubby middle aged man gave me an antagonistic look out of the corner of his eye and then cut me off to get into the bathroom door before me, shoving me aside with his shoulder. He then sneered at me when he entered the bathroom. I got the impression of a man who'd peaked on the high school football team and learned all his life skills from the Coach.

I walked in and saw that there was already a queue at the urinal. This was not a problem for me, as I was just there for the sink. Since this was a mens' restroom, and only 40% of men wash their hands after using the restroom, there was no line at the sinks.

I dumped out the grounds and began rinsing the plastic base of the press. That's when one of the men in line for the loo decided I needed a peanut gallery. He turned to the person next to him and said "Most people know how to use a kitchen sink."

I glanced in the mirror and saw that the person next to him was not reacting. The speaker however had a smug look on his face. This was my first look at the Peanut Gallery. He was shorter than me by about four inches, very thin and had a pointed goatee, like a high school student trying to look like an mad scientist. His hair was jet black, slicked to a helmet like sheen. It occurred to me that if I looked like him, I'd be a bitter jackass too.

I began rinsing the filter portion of the press.

"What kind of redneck washes dishes in the toilet?"

I shook the water off the press components and grabbed a paper towel to wipe us some grounds that had gotten on the counter.

"Oh look, the janitor."

I took another paper towel and began drying off the press. He was silent for a moment, but I found myself facing him when I went to leave the restroom. He leaned towards me and said "Ever hear of Starbucks Forest?"

I stopped and looked him in the eye. I cocked an eyebrow and said "Charbucks? You actually drink that garbage?" I turned and walked away, muttering just loud enough to be heard "Can't tell coffee from carbon. Bilge drinker probably calls it EXpresso."

The door closed behind me.

Strange sightings on the T

I normally take the orange and red lines to get home. The last few nights I've taken the green line in order to get to Whuffle's parents' house after work. Last night I saw two sights that I found hilarious.

The Lesbians and the Fundie

I boarded a C line train and found myself standing next to two young college aged women. To say they were being friendly with one another would be an extreme understatement. Since a detailed description would require an "Explicit content" warning I'll just say that it looked more like a scene from a late night movie on Skinemax than what you would expect on the train.

The young and enthusiastic lesbians were not, however, the main attraction.

The main attraction was a young African American woman of about the same age as the lascivious couple. Her hair was pulled into a tight, sever bun. Instead of the grunge inspired attire of the lesbians she wore a conservative dark blue woman's suit. She wore a "Heritage Pride" pin on her coat. Her posture seemed to imply her spine had been replaced with a very straight titanium rod. She looked for all the world like the young version of a church matron, one of those women who could cut a teenager to ribbons with a single look. I'll call her Mable for the sake of reducing pronoun abuse.

I was fortunate to be looking her way the moment she saw the couple. At first she was shocked, a look of disgust and surprise washing over her face. Her nose wrinkled into a comical mask, as if someone has presented a cartoon character with a pound of rotten meat. It was clear that these young woman had offended Mable to the depths of her moral center.

Next her jaw dropped and she cast her eyes about the train, as if seeking an ally in this morally horrific situation. I discretely followed her gaze and saw no signs that anyone else had noticed the couple. Either the couple was largely unnoticed, or everyone was doing a good job of hiding their reactions.

Mable worked her mouth for a few seconds as if she were about to speak, but thought better of it and clamped her jaw shut. She shook her head and gave the couple a look that I suspect she learned from a stalwart and formidable grandmother with bifocals and a tendency towards harsh judgment.

The lesbians remained oblivious to the world around them, including Mable.

Mable began shaking her head, tut-tutting. She would occasionally clear her throat with an "Ahem" that seemed to say "You WILL give me your attention NOW you reprobate."

I was barely restraining my laughter, letting out a few repressed giggles despite my best efforts. The show continued, with Mable going through several comical and entertaining reactions. Withering looks dominated, but I detected a hint of despair creeping in. The couple did not acknowledge Mable. If anything, they intensified the their enthusiasm.

Sadly, I did not get to see the end of the drama, as I needed to change trains. I disembarked and the tableau was lost to my view. I went on, speculating as to why, if Mable was so offended, she didn't simply move to another car or just turn around.

The Pickpocket

I got off the train at Copley, as I needed an E or D train to get where I was going, and the C train I'd been on wasn't going to get me there. While boarding a D line train at Copley I witnessed an attempted pickpocketing.

I boarded the train at the front, where there's a few steps that take you up into the train. I was standing near the door next to a man with a briefcase. A young man in a sweat shirt and jeans pushed past the two of us and made a clumsy and obvious attempt to pick the coat pocket of the man next to me.

The intended victim was tall and solidly build. Visualize the protagonist in "American Psycho" and you get a rough idea of what he looked like. He grabbed the hand that had invaded his coat pocket and pulled it out. The pickpocket was trying to get out the door, pulling with all his might in a comical, cartoonish manner. I saw the victim look down at the pickpocket's hand, which was open and empty. The man then looked out the door and simply let go.

The pick pocket had been pulling with all his might when he was released and as a result he tumbled from the train. The sound he made as he fell resembled a squeak more than a scream. He landed in a crumpled heap on the subway tiles. The doors closed and the train pulled away within seconds of the would-be pickpocket landing.

The victim just looked out the door for a second, taking in what had happened. He blinked for a second and then began to laugh softly to himself.

Friday, December 14, 2007

This is your Captain Calling

I got another automated telemarketer call today. This time it started off with a crackling, pre-recorded fog horn followed by a recording telling me to "Press 1 to take the survey and get your FREE boarding passes." I took the survey, making sure to provide wildly inaccurate information. Once the survey was complete, I was transferred to an operator. I told him that I wanted to be placed on the "Do not call list" at which point he transferred me to another automated system. This one read my phone number to me, and then announced that I would "No longer receive opportunities to--" I hung up at that point, having lost interest in their pathetic attempt to make me feel sorry for wanting to be left the Hell alone.

Here is what Caller ID had to say about them:
12/14/2007 12:29PM
PCS Phone GA
404-798-9983

Wednesday, December 12, 2007

Vandalism of Shocking Insight

This is an insightful bit of vandalism. Every few months you hear about a model dropping dead from malnutrition, anorexia and bulimia are rampant and millions of young women are made to feel insecure and inferior because they have actual curves.


One can't help but wonder why the fashion industry hasn't just started going to famine ravaged nations to find new models. Heaven knows they're thin enough.

Perez Hilton - Spammer and a bad one at that

I have my e-mail for matthewmiller.net forwarded to my Gmail account. When I opened my e-mail this morning I found two messages from Perez Hilton perez@perezhilton.com. My familiarity with the name "Perez Hilton" extended to "Wait, isn't that the attention whore Blogger who chose a stage name similar to 'Paris Hilton'?"

The subject line was the next thing that caught my attention. "Here is your personal information we have on file". I was surprised this drek got through the Gmail Spam filter, as it's usually pretty good about purging messages that look like Phising attempts, particularly lame, transparent ones such as this.

I expected Spam, but opened the first e-mail anyway. Sure enough I found a pitch to buy crap, and the text:
You're receiving this message because you may have joined my newsletter If you do not wish to receive these special updates then please edit your email preferences.

I have a few issues with this block of text:

First, I never subscribed to the Perez Hilton newsletter, nor would I. I enjoy well written, well acted and well conceived movies, which means 95% of Hollywood's output holds no interest for me. The occasional Hollywood story that floats to the surface of Digg.com more than satiates any Hollywood interest I may have.

Second, the block of text contains no actual unsubscribe information, just the vague advice to "edit your email preferences." Legitimate firms generally include clear, concise unsubscribe data at the footer of their newsletters. For example, the versiontracker.com newsletter includes a link to the Privacy Policy followed by the text:
About This Email:
You are receiving this email at [Redacted] based on your VersionTracker or MacFixIt email preferences.

To unsubscribe or change your email preferences, visit http://www.versiontracker.com/account/emailSettings.php while logged in or login at http://www.versiontracker.com and go to My Account > Email Settings

Contact Us:
For further assistance email us at http://support.versiontracker.com or:
CNET TechTracker, 55 SW Yamhill, 3rd floor, Portland, OR 97204


Notice the difference?

I opened the second e-mail and saw that it was not only a duplicate of the first, but was sent to the exact same address. This is another red flag, as it generally means that their subscription software is faulty, or the "subscribers" really are just harvested e-mail addresses being processed by a Spammer.

I decided to see if Perez actually provides a way to unsubscribe from this garbage, so I directed my web browser at perezhilton.com. While I found a few "Advertise here" links there was nothing resembling an "unsubscribe." There wasn't even a link or form letting you subscribe. I'd already suspected that this was just Spam spewed at harvested addresses and the lack of any newsletter information on the site only strengthened that belief.

The closest thing to an unsubscribe I found was a vague "Other Technical Problems" link which linked to "support (at) pressflex.hu" I was tempted to e-mail this alleged support address, but decided against it. Everything about the site smelled of shady shenanigans and Spam.

I decided to check out pressflex.hu and was unsurprised when the only content at their site was a Placeholder page and a link to abuse.net. Upon seeing this I decided to report the Spam to Spamcop. I haven't used the site much since forwarding all my messages through Gmail, but those that escape the Spam filter get sent to Spamcop.

Finally, I did a quick search through Gmail's Spam folder, and found yet a THIRD message identical to the other two, all of them sent within a two hour time span.

Finally, I'd like to present the headers from one of the Spam messages for your amusement. Notice that Google's SPF check failed. dns-solutions.net is the hosting provider for matthewmiller.net. Notice that the Message-ID ends with @yahoo.com and the header claims that the message was sent using Outlook Express. You'd have to be running a pretty piss-poor shop to see Outlook Express as the best option for sending out a large newsletter. My suspicion is that whatever bulk mailer they WERE using just identifies itself as Outlook Express. The other option is that whoever wrote the bulk mail program used by the Spammer honestly can't figure out how to connect to an SMTP server. Writing the messages to an EML file was the best he or she could do.

Delivered-To: [Redacted]
Received: by 10.142.52.18 with SMTP id z18cs428652wfz;
Wed, 12 Dec 2007 03:17:56 -0800 (PST)
Received: by 10.100.207.5 with SMTP id e5mr1208228ang.69.1197458275933;
Wed, 12 Dec 2007 03:17:55 -0800 (PST)
Received-SPF: fail (google.com: domain of perez@perezhilton.com does not designate as permitted sender)
Received: by 10.34.253.29 with POP3 id a29mf113399pyi.4;
Wed, 12 Dec 2007 03:17:55 -0800 (PST)
X-Gmail-Fetch-Info: [Redacted]
Return-Path:
Delivered-To: [redacted]
Received: (qmail 90583 invoked from network); 12 Dec 2007 11:05:45 -0000
Received: from unknown (HELO 192.168.0.1) (61.9.217.58)
by mail-da-1.dns-solutions.net - 61.9.217.58 with SMTP; 12 Dec 2007 11:05:45 -0000
Received: from 188.66.110.68 by ; Wed, 12 Dec 2007 12:07:19 +0100
Message-ID:
From: "Perez Hilton"
Reply-To: "Perez Hilton"
To: [Redacted]
Subject: Here is your personal information we have on file.
Date: Wed, 12 Dec 2007 15:07:19 +0400
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--6114072670274832"
X-Priority: 3
X-MSMail-Priority: Normal

Thursday, December 6, 2007

Annoying Ads - Stella Artois

I photographed this ad at one of the Boston Red line stations in early December.

Stella Artois is a decent Belgian lager. My complaint, the thing I find annoying about the ad, is that it's so boring and mundane when compared to some of the European ads below. American advertising is largely monotonous and dull. The same tired old themes are recycled again and again with little variation or creatively. Advertisers are frustrated by technology that lets people bypass advertisements, yet put their efforts into lawsuits against "Commercial skip" technology instead of just making ads people would find entertaining.




It's as if they dumbed down their ads for the United States of America. Oh, wait, Bud Light is the top selling beer in the country. Most Americans wouldn't know a good beer if we drowned in it.



Yes, you can argue that I'm comparing video advertisements to a small billboard, but the fact remains that the billboard lacks any creativity beyond the page design. Yes, the ad is executed well. The text is well placed and readable, the image of the product is attractive, but it's no different than any other similar beer advertisement. The bottom line is, Stella Artois can do better.

Annoying Ads - Sprint

Tis the Season of conspicuous consumption. When I look around at the commercial nature of
the Christmas Season, I find myself understanding why the Puritans refused to celebrate the holiday. While largely moderate in my views and beliefs, the "Gimmie, gimmie, gimmie" nature of the average American's "Christmas Celebration" can still be downright painful.

Knowing full well that the average rants on this subject are boring, I thought I'd be more specific in my criticisms. Specifically, I'm going to post a series of advertisements and explain why these particular ads annoy me. Who knows, if I get a good response this might become a year round shtick.

First, I present an ad from Sprint.


Boston T commuters will recognize the artwork as it's been infesting Boston Train stations since late November. The photo was taken with my cell phone, so the resolution is rather fuzzy. Fortunately, the readable text is also the only part that really annoys me.

This version of the ad, and there are several, has the text "For the Person who wants everything, but still wants more."

It'd be hard to create a better example of WHY the current state of the Christmas season is so annoying. The ad starts off appealing not just to greed, but to excess. "Having everything isn't good enough for you, ya greedy bastard" it seems to say. In the wealthiest nation on the planet, having more than 90% of the rest of the world's population isn't good enough. You've just GOT to have this gadget.

And what does this gadget do? Why it's a portable chunk of hardware that can make cell phone calls, check e-mail and even brows the Internet, all without wires. Oh, and it's an MP3 player. The really sad thing is this device, and hardware similar to it, is seen as essential to many people. We're so out of touch with reality, with the rest of the world, that a gadget that was a sci-fi fantasy just ten years ago is a vital device. Kids need it to one-up other kids and executives insist upon similar gadgets so they have yet another expensive anatomical compensator to show off.

Avoid Accidents

I took this photo near work. It's a WWII era sign that's on one of the buildings.

I find it amusing and thought I'd share.

Friday, November 16, 2007

The Fat Rant

I'm sure most folks have already seen at least one of these videos. They star Joy Nash, an attractive, energetic, creative woman who also happens to be 224 pounds. Her basic message is that "fat" fold should stop letting their weight control their lives. She advocates exercise and a healthy diet, but also points out that 95% to 98% of people who lose more than 75 pounds on a diet regain every ounce within three years. "Success is practically a freak occurrence."

Naturally, when the drones at FOX "News" interviewed her, the host dismissed her by telling her to "Get Healthy" and proceeded to write a follow up article trying to justify the comment.

Of course, like most folks online these days, she has a Blog and a Myspace page.

The Fat Rant


Fat Rant - Confessions of the Compulsive

Monday, November 5, 2007

The Hat

Once, on a very windy day, a rabbi was on his way to the temple. Suddenly a strong gust of wind blew his fur hat off his head. The rabbi ran after his hat but the wind was so strong it kept blowing his hat farther and farther away. He could not catch up with it. A young man, a gentile, witnessing this event and being more fit than the rabbi, ran after the hat, caught it and handed it over to the rabbi.

The rabbi was so happy and grateful that he gave the man five dollars and put his hand on the man's head and blessed him. The young man was very excited about the tip and the blessing and decided to go to the racetrack and bet his 5 unexpected dollars.

After the races the young man returns home and recounted his very exciting day at the races to his father. "I arrived at the fifth race," said the young man, "looked at the racing program and saw a horse by the name of 'Top Hat' running. The odds on the horse were 100 to 1, the longest shot in the field. Having received the rabbi's blessing and the 5 dollars and thinking of the rabbi's hat and the horse's name being Top Hat, I thought this was a message from God, so I bet the entire 5 dollars on this horse. An amazing thing happened, the horse that was the longest shot in the field and who did not have the slightest chance to even show came in first by 5 lengths."

"You must have made a fortune," said the father.

"Yes, $500, but wait, it gets better," replied the son. "On the following race, I looked at the program. A horse by the name of Stetson was running. The odds on the horse were 30 to 1. Stetson being some kind of hat and again thinking of the rabbi's blessing and his hat, I decided to bet all my winnings on this horse."

"What happened?" asked the excited father.

"The horse Stetson won and I collected big money."

"You mean you brought home all this money?" asked his excited father.

"No," said the son, "I lost it all on the next race. There was a horse in this race named 'Chateau' so I bet all the money on it because the horse was the heavy favorite and the name also means hat in French and it all started with the rabbi's hat. But the horse broke down and came in last."

"Hat in French is 'Chapeau' not 'Chateau' "said the father. "You lost all that money because of your ignorance. Tell me who won the race anyway?"

"A long shot Japanese horse named 'Yamaka.'"

Thursday, November 1, 2007

Resolving -2147467259 (0x80004005)

I was having a problem. Every time I tried to load an ASP page under IIS in Windows XP, I got the following, obtuse error message:

-2147467259 (0x80004005)

If I ran an iisreset, I would get the following error once, and then the numerical error would resume:

The remote procedure call failed and did not execute.

I used filemon to watch the network traffic, but the closest I came to anything useful was a Buffer Overflow on the ASP page, even when it was nothing more than a Response.Write.

I did some digging and found a reference to this being a problem after installing PHP under Windows. This piqued my interest, because I'd just installed PHP. I tried to unistal it, but got an error that there was a problem with the installer.

Great.

Finally I stumbled across a solution that has restored my ability to run ASP pages locally.

I ran the following commands from the command line:

regsvr32 C:\WINDOWS\system32\vbscript.dll
regsvr32 c:\WINDOWS\system32\inetsrv\asp.dll

Does the PHP install damage the registration of these DLLs? I don't know. I do know things are working and I can move on with my day.

Friday, October 26, 2007

Hangup Call from a Telemarketer

I got a call from 702-520-1152 on Oct 26, 2007 at 7:32 pm. Caller ID identified as "BIZ to BIZ". I picked up and the caller hung up. I called back a few times but the phone just rang and rang and rang. No one answered.

I'm curious who is behind the calls., as there are a few hangup messages on my machine.

I've done a little research on the number 702-520-1152 and a lot of people seem to be getting the same runaround. Someone calls, they hang up without leaving a message and attempts to call back are fruitless.

Whitepages.com gives the following information on the number:

(702) 520-1152 is Unpublished or Unavailable
Type: Land Line
Provider: Digitcom Services
Location: Las Vegas, NV

While I did find some hints as to who might own the number, I didn't see anything really interesting or verifiable.

Wednesday, October 10, 2007

Microsoft to be an "also-ran" in "Ultra-Mobile Devices" Market?

A report from ABI Research predicts devices based on Microsoft's Ultra Mobile PC (UMPC) specification will ship 4.68 million units by 2012, while Mobile Internet Devices (MIDs), frequently based on Linux, will ship 90 Million units in the same time, outselling UMPCs 19 to 1.

Microsoft's UMPC specification, code named Origami, defines and ultra portable PC capable of running desktop applications without modification. While significant growth is expected, the market faces the technological barriers inherent to all mobile devices plus the need to run XP and Vista on an ultra-portable platform with a small form factor.

MIDs are more specialized devices aimed at consumers. The lower cost and broader appeal are expected to increase overall sales. ABI uses the Apple iPhone and Nokia N800 as examples of MIDs, showing just how fuzzy the line between UMPCs and MIDs can be. The Linux Devices article "UMPC expected to spawn family of devices" explores the nature of UMPCs in more detail.

Together, MID and UMPC make up a category known as "Ultra-Mobile Devices" (UMDs). Featuring "Always on" wireless connectivity, UMDs are expected to ship close to 95 million units by 2012.

ABI's 77 page report, "Mobile Internet Devices and UMPCs" costs $4,200 USD and is available from their website. The report explores the MID market, its users and its potential applications.

Related Links:

Nearly 95 Million "Ultra-Mobile Devices" to Ship by 2012

UMPC expected to spawn family of devices

UMPC next Linux hacker target?

Early UMPC ships, but decent Linux support may lag

How would you change the UMPC?

Via unveils "ultra mobile device" reference design

Intel debuts Linux-based "Mobile Internet Device"

Tuesday, September 25, 2007

Revisiting the "Firefox Myths" Part 8

Please read my earlier post "Revisiting the "Firefox Myths" Part 2, the Tangent" for background information on where these quotes came from and what the heck is going on.

This post represents a return to the comment Andrew K posted on September 18, 2007 1:49 PM. He had a lot to say, and I haven't replied to all of it yet.
Myth - "Firefox Vulnerabilities are Quickly Patched"

This clearly proves that Firefox vulnerabilities are not quickly patched thus this Myth is debunked. IE is irrelevant to this Myth and another excuse as you seem to like to make many of them
Statements about the speed with which a bug is fixed requires a context, specifically the context of how quickly other browsers fix their security problems.

Most of Firefox's reputation for fixing bugs faster than IE comes from Microsoft's bungled handling of the createTextRange() Vulnerability. Few people can name the vulnerability, but many remember that their web browsers can be hijacked by hackers just by visiting a web site. They'd never even get a confirmation dialog before hostile software was installed.

Please see my comments on Brian Krebs article "Internet Explorer Unsafe for 284 Days in 2006" below.
Myth - "Firefox is More Secure because it is not integrated into the OS"

The examples are not the sources of the MYTHS!! I know you failed to read that but it is getting old. Mozilla clearly stated what they said. The Myth was debunked by Microsoft.
Andrew is partially right. The browser is not made more secure by not being integrated into the Operating System. The Operating System itself is more secure when a web browser isn't integrated.

This is another example of Andrew attacking my initial write-up even though I agreed with his final conclusion. I used the myth as a starting point to discuss a separate issue, but Andrew has chosen to reassert his original debunking as if it somehow debunked my points about OS security.

Andrew seems a bit confused regarding my intent in responding to his Firefox myths page. I was using his article as a jumping off point to discuss other issues. Yes, I went off on a few tangents, but no, those tangents were no necessarily intended to debunk Andrew's Debunking.

The bottom line is, I've personally seen instances of an Operating System being compromised because some idiot decided to integrate the Web Browser into the File Browser. A single Zero-Day Drive-By exploit was all that was needed to infect several machines.

If Internet Explorer was not integrated into Windows Explorer, I wouldn't have had to clean up several virus infected PCs.
Myth - "Firefox is More Secure because it does not use ActiveX"

Again debunked by Microsoft
To be fair, it WAS true at the time the claim was circulating. Andrew seems to enjoy playing with time frames to his advantage. For example, when discussing the system requirements for web browsers, he happily compares IE 6 to Firefox 2, and ignores IE 7, claiming that since the myth was about IE 6, IE 7 is "irrelevant."

On the ActiveX Myth, Andrew ignores the fact that ActiveX was a major security hole at the time the claim was circulating. He relies upon the fact that most those problems have been fixed to debunk the myth.

Wouldn't it be more honest to admit "Yes, ActiveX was a problem in the past but if you're running IE 7, it isn't a real issue now"?

Just do a Google Search for activex vulnerability and you'll get a whole list of major security holes that Firefox never had to contend with.

Microsoft Security Bulletin MS05-013
Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (8917http://www.blogger.com/img/gl.link.gif81)

National Cyber Alert System Cyber Security Alert SA06-258A
A vulnerability in ActiveX and Internet Explorer could allow an attacker to take control of your computer.

Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability
The Microsoft Windows WebViewFolderIcon ActiveX control contains an integer overflow vulnerability that could allow a remote attacker to execute arbitrary code.

Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability
A vulnerability has been discovered in Microsoft XML Core Services, which can be exploited by malicious people to compromise a user's system.

New Active-X Vulnerability Discovered

ActiveX Vulnerability
Myth - "Firefox Extensions are Safe"

It is proven that they can clearly not be safe, thus debunked.
Again, I agreed with Andrew on this one. I mused about the vulnerability of extensions for other browsers but that's as close as I came to disagreeing with him on this myth. Entirely too much trust is put on Extensions just because you find them through the "Get Extensions" link in Firefox.

Myth - "Firefox is a Solution to Spyware"
The nonsense about drive-by infections are from those who run unpatched versions of IE and has nothing to do with IE fully patched. I have used IE since it came out and have never been infected by "drive-by" installs and neither do my clients. You can do the same using this guide:

http://mywebpages.comcast.net/SupportCD/MalwareRemoval.html

All for free. But Firefox is clearly not a solution to Spyware and thus debunked.
I'm really questioning Andrew's Research skills here. Several times in these threads I've mentioned the createTextRange() Vulnerability, which remained unpatched for weeks and allowed drive by infections.

Andrew's claim that a fully patched IE install will be immune to Drive-By exploits is dangerous and misleading lie. I encourage readers to do a quick online search for phrases like "Drive-by" and "Internet Explorer." Andrew's irrational denial of reality is confusing to say the least.

Brian Krebs wrote an excellent article entitled "Internet Explorer Unsafe for 284 Days in 2006" in which he exhaustively researched the security flaws in Internet Explorer and the time taken to patch them. He even submitted his information to Microsoft to give them a chance to respond.

The following quotes are from that article.
For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.

In a total of ten cases last year, instructions detailing how to leverage "critical" vulnerabilities in IE were published online before Microsoft had a patch to fix them.

Since this whole thing is about Firefox Myths, I'd like to also quote something Krebs had to say about Firefox:
Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.
He even has a chart of Internet Explorer vulnerabilities in 2006.

I encourage Andrew to read the article above. I suspect he'll have difficulty dealing with information from someone who did actual research, and he'll be further enraged by something that contradicts his dogma about a fully patched Internet Explorer, but he needs the information in the article.
Myth - "Firefox 2's Phishing Protection is better than Internet Explorer 7"

No I did no lie. The Google Anti-phishing tech was built right into Firefox 2, regardless I added more sources and the myth is still debunked.
One of Andrew's new sources is Ed Bott's article IE7 or Firefox 2: Which browser is more secure? Testing was done with Firefox 2 Beta 1, not a production release.

The recent information paints an interesting picture for Firefox's anti-phishing features. On one hand, you have a Mozilla sponsored report that gives a glowing review and people claiming that Firefox caught all the phishing sites listed on dslreports.com

On the other hand, we have things like Ed Bott's article that raises some concerns about the Phishing filter. Specifically, he found two sites that IE caught but Firefox didn't and he wants more information on the false positives from the test where Firefox caught more Phishing sites.

While Ed Bott does say:
The two “live” sites I visited in each browser hardly constitute a scientific sample, but it’s still worth noting that IE7 flagged both pages as confirmed phishing sites, while Firefox 2 missed them both
He later states:
I haven’t spent enough time with the Firefox/Google code to form an opinion.
Interesting enough, he also reports that
Update 4-August, 3:40PM PDT: A representative of Mozilla's PR agency contacted me and says that the anti-phishing feature in Firefox 2 Beta 1 "was intended to test the core Phishing Protection framework within the browser, not to provide a full list of suspected scam sites."
Remember, his tests were done with a beta. Would the results change if the tests were repeated with Firefox 2.0.0.7?

I did some more digging, wondering why IE would appear to perform so much better than Firefox. Then I found my answer.

Firefox processes URLs locally, on your own machine while IE7 sends URLS to a Microsoft server for checking.

The IE blog gives some more detail on how this works:
So, for example, if you were to visit http://www.msn.com, nothing will be checked on the Microsoft server because "msn.com" and other major websites are on the client-side list of OK sites. However, let’s say the URL looked like this: http://207.68.172.246/result.aspx?u=Tariq&p=Tariq’sPassword, in this scenario phishing filter will remove the query string to help protect my privacy but it will send "http://207.68.172.246/result.aspx" to be checked by the Microsoft Server because 207.68.172.246 is not on the allow list of OK sites. As it turns out, 207.68.172.246 is just the IP address of MSN.com server, so its not a phishing site but this example should help you understand more about how Phishing Filter checks sites on the server.
IE7 has a local cache of "OK" sites, and if you visit a site that isn't on that approved list, the URL, minus URL data, is sent to a Microsoft server for further evaluation.

The advantage is that the server side analysis can be changed in a matter of minutes. The down side is if you visit a site that Microsoft hasn't deemed "OK" then the URL is sent to Microsoft. In addition to the latency of waiting for the approval to come back from the Microsoft server, This means a lot of your web browsing is likely to end up logged on a Microsoft server.

Microsoft has its own take on the Privacy issues involved.

In terms of the myth as stated by Andrew, it does look like IE 7 has better anti-phishing than Firefox. However, they both suck.

The article "Firefox 2 vs. IE 7 Anti-Phishing: Who Cares? Use Multiple Layers" points out that even the pro-Firefox test "puts it at 460 sites missed by one browser or the other. Which means neither one is really good enough." The article goes on to recommend a variety of anti-phishing technologies to help improve your odds of escaping scammers.

The more I dug into this issue, the more I realized that when it comes to anti-Phishing technology IE7 and Firefox 2 are fighting for dregs. Both anti-phishing technologies suck, but at the moment, it looks like IE's implementation sucks a little less, assuming you're OK with the privacy issues raised.
Myth - "Firefox supports Extensions and Internet Explorer does not"

You excuses are meaningless, this is not about which is better which is an opinion, the Myth is clearly debunked.
Yet again, I didn't disagree with Andrew on this. I went so far as to explain how the myth came to be. Yes, I took a pot shot at IE's Add-On support, largely because I've written add-ons for both Browsers, and found Firefox far easier to work with.

Why did he feel compelled to refer to me making "excuses" when I didn't even disagree with him?
Myth - "Firefox supports an Inline Search Feature and Internet Explorer does not"

Don't put words in my mouth and stop making excuses, this myth is clearly debunked. Tweaking tutorials? WTF? Are you insane?
Fact: A default install of Firefox supports Inline Search.

Fact: You have to install an add-on to get the same feature in Internet Explorer 7.

Fact: Andrew provided no sources for this "myth" on his web site, so I had to find some of my own.

Internet Explorer 7 Review

There are also a number of features I miss from Firefox, such as inline find, which opens a handy and less obtrusive Find toolbar instead of the annoying IE Find dialog. This concern is partially offset by the IE Addons Web site and a new generation of small downloads that improve IE's functionality...

Internet Explorer Not A Monster Anymore

He thinks IE7 has its issues - what he calls "interface gaffs", along with features that Firefox has that he can't live without (such as inline search). But in terms of standards compliance Thurrott says IE7 is an improvement.


Suddenly, I see why Andrew included no sources for the myth. Several times in his replies to my site, he's made a big deal of addressing the myth as he found it in the wild. The discussion about his not including IE 7 in the "System Requirements" myth is a prime example. He refuses to include IE 7 in part because he didn't find examples of people claiming Firefox 2 had lower requirements than IE 7. (The source he links tof ro the myth doens't actually mention browser versions AT ALL, but that's a different issue)

The "Inline Search" myth does not appear to exist in the wild in the way Andrew describes. The complaints I found are that the feature is missing from the base install, or that you have to install an add-on to get Inline Search in IE. Every site that mentions the lack of Inline Search in IE seems to mention an add-on that adds inline search.

I wonder how Andrew would react if I countered one of his other debunkings with a link to a Firefox Extension that fixed the problem? Would he accuse me of making "excuses" for Firefox? Would he rely upon the exact working of the myth as it's stated in his Source?

My main issue with this myth is not if it's true, but that the debunking Andrew uses violates his own rules. If the tables were turned I don't think Andrew would concede that a Firefox Extension that resolved the issue would be sufficient to change his conclusion about the myth.
"Opera also introduced tabbed browsing. I'm surprised Andrew didn't mention this"

Um I did mention Opera invented Tab Browsing under the myth labeled: TABBED BROWSING! It is now clear to me that people read what they want and not what is there.
Funny, I did a keyword search on the page before I wrote that line. It wasn't there. Perhaps I was tired and just missed it, but since I've already seen an example of Andrew editing firefoxmyths and pretending the statements were there before, I'm inclined to suspect my search was valid, and that Andrew edited the page after reading my original post.

In Comic Book terms, it looks like he retconned the article.
Myth - "Firefox had Pop-up Blocking before Internet Explorer"

No this is a Myth and debunked, Firefox is NOT the Mozilla Suite. The only thing misleading is stating it any other way.
I'll grant that, in terms of the Myth as written, Andrew debunks it. However, His debunking makes it sound like Internet Explorer was the first to introduce the feature. Mozilla based browsers had pop-up blocking way back in 2002, two years before IE introduced the feature. There was even some anger over the fact that Netscape 7, based on the Mozilla core, removed the feature in order to coddle AOL popups.
Myth - "Firefox Blocks all Pop-ups"

I am not going to go over this again. The sources and examples are NOT the same ect... Myth debunked.
I should point out here that I never claimed that Firefox blocked all pop-ups. In terms of Andrew's debunking of the Myth, he's right. Firefox does not block all pop-ups.

My issue is that I've never heard the claim that "Firefox Blocks all Pop-ups." Andrew can disperse this concern by linking to a few more sources for the myth, something he has failed to do.

Show me the references.
Clearly you read nothing on my page as my sources for the Myths were multiple locations none of which were the examples.
I'm going to give Andrew the benefit of the doubt and assume he was tired when he wrote that line as it's very poorly worded.

He seems to be claiming that he listed multiple sources for his myths. However, the "Firefox blocks all Pop-ups" myth only lists one source, and that source is a graphic on Andrew's own web site.

The "Firefox has lower System Requirements than Internet Explorer" myth is also nothing but a link to a graphic on his site. I noticed that there's no mention of the browser version in the linked graphic, but Andrew made a BIG deal out of the browser version when rationalizing his exclusion of IE 7 from discussion of the myth.

The following "Myths" have a graphic on firefoxmyths.com as their only "Example" of the myth.

"Firefox's Memory Leak is a Bug"
"Firefox Blocks all Pop-ups"
"Firefox was the first Web Browser to include Tabbed Browsing"
"Firefox fully supports W3C Standards"
"Firefox has lower System Requirements than Internet Explorer"

I believe Andrew needs to do a better job of finding, and linking to, examples for his myths.
I didn't "massage" any data and it is all clearly sourced. I also did not try to hide anything as this page came out in 2005 and is clearly SOURCED!!!!
I encourage anyone reading this little flamewar to go back and review what Andrew and I have written. Decide for yourselves if Andrew is massaging his data or not. Don't take my word for it, and don't take his. Read the arguments and counter-arguments and decide for yourself.
"Ironically, he fails to mention the fact that the free Opera browser is no longer ad supported."

Really? "Opera (now 100% Ad free)"

Give me a break, try reading my page completely next time and not make assumptions or jump to ridiculous conclusions.
Again, this is another example of Andrew editing the page and then claiming that the modified version is what was there when I first read it. When I wrote my original post, I searched for the word "Free" on firefoxmyths.com, both by scanning the page and by using my browser's "search" feature. I didn't see the mention of Opera being Ad Free, and I believe Andrew added it after reading my article.

OODA Loops in User Interface Design

Preamble

I've spent the last month or so engaged in a job hunt. That job hunt has now come to a close, as on September 26, I start work at my new place of employment.

During this job hunt, a few places have asked me to write sample essays or articles as part of the interview process. The following is one of those essays. The company in question was very big on using OODA Loops as part of their overall design philosophy and wanted to know if I could wrap my mind around the concept.

While writing the essay, I realized that OODA Loops are easy to apply to software design as the concept merely describes what most good programmers already do. The Observer, Orient, Design, Act methodology greatly reduces the time wasted in redesigning and rewriting code. If done properly, the actual programming is a matter of following the pseudo code that's already been worked out.

The following assumes some familiarity with OODA Loops, which can easily be gained in a few minutes by reading the Wikipedia article on OODA Loops.

Introduction

The main goal of any User Interface should be to allow the user to accomplish their desired goal as quickly as possible. Despite the typical use of OODA Loops to disrupt the opposition, be they business or military, the same principals can be used to enhance the user experience and create the illusion of having fully anticipated the user's desires.

The OODA Loop cycle was designed to describe a military engagement. It's tempting to depict the end user as an Enemy Combatant. In this scenario, the process of getting inside the enemy's OODA Loop would consist of anticipating the User's actions and presenting interface options that lead them in the direction you desire.

This model has a few flaws. First, it describes an adversarial relationship between the user and the developer. A typical development cycle already has enough stresses between these groups without creating more in fundamental design models. Second, all Military analogies break down. In many respects the User's goals and the developer's are the same. It would be a bit like describing how to help an enemy pilot bomb your own base.

A more useful metaphor would be to view the User as your own soldier. The goal of a UI developer becomes streamlining the user's entire OODA Loop, eliminating bottlenecks and avenues for error.

Example Project, The Report Interface

I unknowingly used many OODA Loop concepts in developing a report interface when at FinancialCampus. The "second generation" interface created by a subsequent developer was rejected by users in part because its development ignored the OODA Loops concept. let's examine both development processes in terms of OODA Loops.

The UI goal was to allow a Compliance Officer (CO) to access and act upon the exam status of his or her Brokers and determine who had not completed their NASD Mandated Continuing Education.

First, I needed to Observe. This meant gathering data on what the COs did with their data and how they needed it presented. The main tasks could be broken down as follows:

Observe:

• Get User Feedback on existing reports
• Review sample reports created manually by end users
• List NASD Legal requirements
• Record data on technical expertise of end users
• Record data on interfaces with which users are already comfortable.
• Get samples of any data files used by the end user.
• List other data available in the Learning Management System (LMS).

Simply acting upon this data would have resulted in either dozens of reports, or a handful of monolithic reports with a complex array of options. COs would have become trapped in the "Orient" stage of their own OODA loops. My own Orient loop was initially a bottleneck until I reevaluated how I was approaching the data. Instead of creating a single report to make everyone happy, I decided to create multiple reports, each one designed to meet the needs of a discrete group of users.

My Orient phase consisted of determining how the potential data sets interacted and who needed that data. I also evaluated who wouldn't mind a few extra bits of data in their report. The end result was a large chart on my wall, listing each piece of data in the system. Legally required data was highlighted. Color coded lines connected the data fields to the customer reports. The color coding flagged the data as "Legal," "Bureaucratic" or "Optional."

Orient: Data is placed into three categories:

• Legal: Information the Compliance Officer MUST present to comply with law
• Bureaucratic: Information the CO needs to present for internal business or workflow reasons.
• Optional: Data present in the LMS but not needed in any reports. This was addressed later.

Once I knew who needed what, I began the Design phase of merging reports. My target was six to eight reports and I met that goal. In retrospect, I could have automated much of this if I had used Semantic Data models and defined relationships such as "Farmers Insurance Needs the exam pass date" and "NYLIC does not want the exam score." This would have allowed me to condense the needed reports faster.

Design:

• Distill format data into the smallest number of possible formats. This process resulted in six basic reports with two to six options each.
• Order the reports by likely number of users
• Define a login process using The IntraLearn user data, as all Compliance Officers were also students. Each report required the appropriate login, and was restricted to the data for a specific company.

By this point, Acting was easy. I simply sat down and began writing the reports I'd specified. I was tempted to engage in another Observe exchange with the COs at this stage, but decided against it, as I did not want to become trapped in an Analysis Paralysis loop, or to allow Feature Creep to delay the deployment of the initial reports.

Act:

• Write the login process for the Reporting Interface.
• Write the report that will be used by the most Compliance Officers. Place that report in a menu that allows for the addition of new reports.
• E-mail the COs about the new reports as they are added.

The Other Loops

During this outer OODA Loop, an overlapping loop was taking place to deal with the "Optional" data. The additional data available, such as the number of times a user had taken an exam, was presented to the Compliance Officers to determine if any of them needed or wanted that data. Additional data was incorporated into the reports as appropriate. For example, the "Times Exam Taken" counter was added to the "Full Data" Excel and CSV export because the only customers who wanted that data were already importing the data into PeopleSoft.

A new OODA Loop began as each report was deployed. CO Feedback initiated the Observe phase. That data was then evaluated for potential use in modifying the existing reports in an Orient phase. If the data was deemed appropriate for use in modifying the report, a Design phase occurred, followed by an Act phase to get the updated report to the end users.

The Resulting Reports

As a result of the above OODA Loops, the Compliance Officer's OODA Loop looked like this.

Observe: Read the brief descriptions of the reports and their options

Orient: Select the report that best met their data needs.

Design: Select the options presented for each report. This typically consisted of such options as the level of detail provided, sort order and if rows will be per rep or per rep/course combination.

Act: Print or download the resulting report, fire, suspend or reprimand Brokers as appropriate. One report even allowed the COs to e-mail the recalcitrant reps with a bulk e-mail or individually, warning them of their pending deadlines.

Two more reports were added within three years, as new customers came on board with new reporting needs.

The "Second Generation" Interface

What did the user rejected "Second Generation" interface get wrong?

At the then CTO's Direction, the developer conducted minimal Observation. Only the data available in the database was reviewed. No other end user requirements or input was taken into account. Due in part to the small data set gathered in the Observation phase, minimal Orientation was possible.

The rationale given for this minimal Observation was that the exiting reports were "truncated" and "failed to take advantage of the data IntraLearn offered." It was further stated that FinancialCampus needed to "Show off what we can do to compete with the big boys."

The Design phase consisted largely of the developer recording every data manipulation he could imagine. Designing and Acting were not separate phases, as the reporting system was written while the developer conceived of new options. This required the developer to completely scrap the existing code twice and begin again from scratch.

As a result, the Compliance Officer's OODA Loop was disrupted. The new system had a steep learning curve, and CO's were unable to separate the OODA Loop stages. They became trapped in the Orient phase, unable to process the Observations presented in the reporting system's "Help" documentation. Few were able to Successfully Design their reports.

Many CO's called or e-mailed to complain about the complexity of the system. FinancialCampus' own CTO, VP and Owner were unable to understand or use the new interface, but still ordered a global switch to the new system.

Summary

The above examples show that the OODA Loop process can be used to create a User Interface that optimizes the User's own OODA Loop, even if the user is unaware of the concept. OODA Loops also help compartmentalize the development process, reducing churn and wasted effort later in the product's life cycle. If the Observe, Orient and Design phases have been carried out, Acting will be little more than using the Pseudo-Code to write the final application.

Monday, September 24, 2007

Revisiting the "Firefox Myths" Part 7

Please read my earlier post "Revisiting the "Firefox Myths" Part 2, the Tangent" for background information on where these quotes came from and what the heck is going on.

The following is a response to Andrew's September 21, 2007 6:18 PM comment to Revisiting the "Firefox Myths" Part 6. I was originally going to post this as another comment in the thread, but decided it had gotten a bit long and needed to be a new post instead.

Unless otherwise noted, indented text in italics are Andrew K's comments, and my responses follow the quote.
By your logic it is dishonest to Ignore IE3 and IE4. The Requirement Myth is accurate and is not changing.
Andrew,

I'm afraid I don't follow you here.

In Revisiting the "Firefox Myths" Part 6 and the resulting comments I argued that IE 7 needed to be included in the discussion because:
  • It's the fastest growing browser in history, and still growing.

  • It has 50% of IE 6's market share.

  • It's the most recent version.

  • It's the ONLY version of IE available to people running Vista, and most new PCs come with Vista pre-loaded.

  • It's Microsoft's recommend upgrade path for XP users.

  • Bug fixes for IE6 are likely to be few and far between, as most development efforts will be directed at IE7.

  • It's been about a year since the last IE 6 bug fix.

  • While I did not make this point earlier, I'd like to point out that according to most statistics IE7 has a larger market share than Firefox.
How do ANY of those points lead you to claim IE 3 and IE 4 should be included as well? I'm afraid your logic escapes me, as neither IE 3 or IE 4 meet ANY of the criteria I set fourth as arguments for including IE 7 in the "System Requirements" section of your site.
Each Myth is based on how it was heard. With requirements the version number was not mentioned specifically for IE while with performance they are.

I don't care how it looks to those who cannot understand simple logic.
Again, your open hostility is what drives the negative reaction to you and your site far more than the data you present. Running around accusing people of being stupid just because they don't think the same way you do, or because they disagree with your logic, is not constructive. I sincerely hope this attitude doesn't reflect your behavior in real life.

If you want people to understand and accept your statements, you have to take into account the objections people will raise. It's the difference between a persuasive statement that will get people to change their behavior and a rant that few will take seriously.

I don't want to attack you or your page. I want to help you change the things that are causing so many people to dismiss it as the ranting of an anti-Firefox Zealot. The first rule of writing is to think about your target market. For whom are you writing and who will be reading it? Who are the people you're trying to reach with your Firefox Myths page?
The browser news comment you are taking completely out of context. I stated:

"The Browsernews is even more biased looking at the sources as it trys to compare single domain page hits with companies who monitor web traffic across hundreds of thousands of pages."

I never said Browsernews uses thousands of pages for it's samples I said it is comparing sources that use thousands of samples to ones with a single domain.
upsdell.com is pretty straightforward about the sources used in the linked Browsernews article. The whole point was to reflect the wide range of results you get when you modify your sample set. It's one of the reasons I encourage web developers to pay more attention to the statistics from their own sites than to overall browser market estimates.

You keep claiming that the differences in the six sample sets constitutes some kind of disadvantage, something that discredits the article. Those differences, both in the sample data and the ensuing results, are the whole POINT of the article. The goal of the article is to get people to think critically about the numbers being presented to them. Isn't that, in a way, what you were trying to argue in your original article?

You're trying to discredit a few articles by linking to statistics that disagree with those statistics. You're asking readers to treat the number you use as superior to those of the original articles. Isn't it more useful to point out the difficulties involved in trying to get a "global" picture of browser usage?

People can argue the "superiority" of one set of browser statistics against another until everyone turns blue in the face. Educating people about the inherently flawed nature of browser statistics in general will be more likely to get people to look at a "firefox achieves xx.x% market share" headline with a critical eye.
I never stated the definition I used does not define IE or Opera as insecure you keep implying this. I make no such statements or implications. You keep stating it to make an excuse for Firefox being insecure.
I'm not trying to make excuses for Firefox's security issues. I'm trying to help you modify your site so that people take it more seriously. I never denied that Firefox has it's own security issues, but the fact that your site is viewed as a "hit piece" and not an objective, unbiased source means the points you raise aren't being taken seriously, defeating the purpose of the "Firefox Myths" page.

Instead of thinking "Hey, I should demand Firefox deal with the security issues in the extensions," your concerns are being written off as a rant.
I am bashing nothing, just because the majority of the Firefox Myths are overexaggerated positives does not mean that I am bashing Firefox.
Again, you're ignoring the emotional reaction people have to your tone and attitude.

You have a choice Andrew.

Option 1:

Leave the page as it is, occasionally updating it to reflect new data and myths. Continue responding to criticism with a hostile, attacking tone.

Option 2:

Rewrite the page to reflect an unbiased view of the facts. In the rewrite, address the concerns that have been raised about your site and do your best to anticipate new ones. Engage in an actual dialog with the people who criticize the site, treating their concerns with respect, even when they're hostile towards you.

The path you choose will reveal your true intentions with the site. Option 1 is the path for someone who is hard-headed and more interested in angering people than in dispensing facts.

Option 2 could very well make your site into something of a Snopes.com for Firefox, a relied upon and quoted resource that the Firefox developers could very well come to see as a list of issues they NEED to address.
Counterpoints are Excuses and excuses will never be added to the page.
Again, that arrogance, that refusal to even admit someone else might have a point is what's damaging your credibility more than anything else. Isn't your entire site noting more than an attempt to provide counterpoints to the myths and exaggerations you've seen on the Internet? You come across as dogmatically saying "If you disagree with me you're an idiot making excuses."

Friday, September 21, 2007

Fond memories of jobs long gone

The following is in response to a Sharkbait posting about a boss who insisted on a three letter user name and identical password.

I had a boss who made the same demand. He insisted his user name and password be his initials. I pointed out the threat this posed, but he insisted that no one would ever try to hack his account anyway.

I mentioned the name of a former employee who was suing the company. The boss laughed.

I was not surprised when in one of the depositions the former employee's lawyer produced a confidential e-mail that the VP had sent the owner. I asked the lawyer how he got that e-mail and he refused to answer.

I told the Owner about this and his response was "Well if he'd read my e-mail I'd have known because it wouldn't have been highlighted anymore!"

I replied with "If you give me two minutes of your time I'll show you how easy it is for someone to read your e-mail without you ever knowing. I'll use your account as an example."

He stared at me for a second and said "Well there's no need to get carried away."

"Please change your password. If you don't (former employee) will continue reading all the e-mail you receive."

"I'll never remember it."

"Write it on a piece of paper and keep it in your wallet."

He kept the new password in his wallet for a good week before he just wrote it on a post-it note on his monitor. I left the issue be. At least now someone had to get INTO the building to read the owner's e-mail. I also convinced him to change the password whenever an employee left under hostile circumstances.

Tuesday, September 18, 2007

Revisiting the "Firefox Myths" Part 6

Please read my earlier post "Revisiting the "Firefox Myths" Part 2, the Tangent" for background information on where these quotes came from and what the heck is going on.
Myth - "Firefox is the Fastest Web Browser"

Firefox Myths is 2 years old! You then make ridiculous comments about my "beloved" browser which makes you loose even more credibility when I state no such thing. Regardless this Myth is clearly debunked, Opera is fastest. You however point out irrelevant things to a page about Firefox Myths. This is not IE Myths.
The inclusion of some data on IE 7 makes it clear that Andrew K has been updating "Firefox Myths." With this in mind, I fail to see the relevance of his mention of how old the original version of the article is. IS he trying to beg our pardon for shoddy editing?

My crack about IE 6 being a "beloved" browser is based on Andrew's insistence upon using it as a baseline when comparing Firefox and IE system requirements and his vigorous defense of that decision. He refused to use IE 7 for comparisons when it will show Firefox in a good light.

Of course all that is beside the point. The bottom line is, I agreed that Firefox is NOT the fastest web browser, and Adnrew K still felt compelled to argue with me about it. More and more, I'm convinced that Andrew K is a troll trying to drive traffic to his web site.
Myth - "Firefox is Faster than Internet Explorer 7"

Hello the page is not about IE!! This myth is clearly debunked.
A quick note to Andrew:

The Myth is about Firefox and IE and the comparisons being made between them. This means IE is relevant.

Let's take a look at the criteria used for the speed tests:

Browser name

Cold start

Warm start

Rendering CSS

Rendering table

Script speed

Multiple images

History

Firefox 2.0

11.64

3.05

1.71

1.62

22

2.03

48

Internet Explorer 7.0 (b3)

7.8

2.4

2.13

1.47

36

2.47

39

Opera 9.01

2.47

2.24

0.84

1.08

13

1.44

8


OK, we all know Firefox takes a while to start up. Two of those 7 metrics are only relevant when launching the application. I only launch my web browser once or twice a day at the most. For actual day to day web browsing I'm going to care more about the other statistics.

For rendering a table, IE has a 0.15 second edge on Firefox. The History test involved loading 10 pages from cache, and IE will do that 9 seconds faster than Firefox. On the flip side, Firefox was able to execute the test script 14 seconds FASTER than IE.

According to the stats above, for the actual task of web browsing IE is slower than Firefox. If you're viewing a web site that's graphics heavy, or that uses the Javascript and CSS heavy AJAX framework, Internet Explorer is noticeably slower.

Of course this is all just one set of tests from one site. More to the point, all these statistics came from an Opera employee.
Myth - "Firefox is Faster than Mozilla"

This is all your opinion not substantiated by any data and irrelevant to the page. This Myth is debunked.
Actually I gave quite a bit of data, demonstrating that outside of Firefox's launch time, Opera's speed and IE 7's abysmal Scripting score, most of the performance measures differed by less than half a second. Can YOU tell the difference between a web site taking 5 seconds to load and 5.5 seconds?
Myth - "Firefox Gained 25% Market Share in May 2007"
Myth - "Firefox Achieved 20% Market Share in January 2006 in Europe"
Myth - "Firefox Achieved 10% Market Share in 2005"

These Myths are important to highlight the obvious bias Firefox was getting to promote an untrue market share.
Funny, but there are sources that claim the Firefox headlines are accurate. Let's look at the 10% in 2005 figure.
  • Onestat: 11.51% by November 2005.
  • ADTECH: 12.41% by September 2005.
  • XiTi: 13.08% by October 2005.
Web Browser statistics are a bit of a black art. No one ever has a sample set representing 100% of the Web, they'll always be looking at a subset of the population, specifically, the people visiting web sites that in turn purchased the products of the company providing the statistics.
W3CSchools is a horrible example that site simply records visitor statistics and is severly biased.

The Browsernews is even more biased looking at the sources as it trys to compare single domain page hits with companies who monitor web traffic across hundreds of thousands of pages. Ridiculous. If you don't understand the difference I cannot help you, regardless these myths are debunked.
I wonder how Andrew would try to gather browser statistics. Looking at this reply, it really does sound like he's making a stab at parody. According to his description, Browsernews is trying to generate browser statistics by aggregating data from "Thousands of sources."

Isn't one of the ways to improve a survey's reliability to enlarge the sample size?

What makes the statistics Andrew uses "better" than the other sites? How would he describe the difference between them?
Myth - "Firefox Achieved 150 million downloads in January of 2006"

This was widely spammed at the time which is why it was listed.
Funny, but the only headlines I saw about it were about the miscount and what was being done to keep it from happening again.
Myth - "Firefox is Secure"

Secure as in not vulnerable to anything. This is not a comparison! Security comparisons to be non-biased must be done between a set timeframe since it is obvious a browser that was out for 3-5 more years would have more vulnerabilities. Regardless Firefox is NOT secure and the Myth is debunked.
Pardon me, I got a good belly laugh out of the line "Secure as in not vulnerable to anything." Show me one Web browser that's "Secure as in not vulnerable to anything." Go on Andrew, show me ONE. In my original article I point out that many of the "Vulnerabilities" in Andrew's listing are actually fixed, and never resulted in an exploit in the wild. The method Andrew uses to get his bug counts is inaccurate.

I could debate the nuances of what different people think of when they see the word "Secure" but that would be a waste of time, as it would be entirely too subjective. Instead I'll propose a compromise: I'll gladly concede Firefox isn't "Secure" if Andrew K will concede that by the definition he uses of "Secure" there's no "Secure" version of Internet Explorer or Opera, and add a statement to that effect to the "myth" on his web site.

Revisiting the "Firefox Myths" Part 5

Please read my earlier post "Revisiting the "Firefox Myths" Part 2, the Tangent" for background information on where these quotes came from and what the heck is going on.
Myth - "Firefox has lower System Requirements than Internet Explorer"

First of all read the examples are not myths section. Regardless I had multiple sources for many Myths but I only started screen capturing them as I found them go off line one after another after I linked to them. There is nothing I can do about it other then to show the screen capture.

The page came out in 2005! Regardless there is no "apples to apples" comparison. I actually compare IE6 to both Firefox 1.x to 2.x IE6 has the most market share of any browser period and the Myth is debunked.
This discussion is based on the fact that Andrew K compared Internet Explorer 6's system requirements to those of Firefox 2, even though IE 6 came out in 2002. He compared Firefox to a version of Internet Explorer that was released FIVE YEARS earlier. An Apples to Apples comparison DOES exist, comparing IE 7 to Firefox 2. When you do that, you find they have the same minimum system requirements.

I challenge Andrew K to include the Internet Explorer version information when he compares the browser requirements for IE 6 to Firefox 2. If you're going to use misleading information and massages statistics, then reveal the browser versions you're comparing.

Why does Andrew K insist upon choosing a baseline of IE 6, a browser whose own publisher wants you to upgrade? What is his fascination with clinging to obsolete technology? As of September 2007, IE 7 already has about half of IE 6's browser share market, and you can't even GET IE 6 on new PCs without going through hoops to install Windows XP or 2000.

Microsoft publishes information on Internet Explorer's product support life cycle. You can see that it's been a few years since IE6 was updated, and despite the fact that IE6 will remain supported for the life cycle of Windows XP, it's clear that all Microsoft's development is being geared towards IE7.

Given how long it took for the IE CreateTextRange remote execution vulnerability to be patched when IE 7 was still close to a year from release, do you really want to be using IE 6 when the Internet Explorer developers are focusing in IE 7?

Andrew only "Debunked" this myth in that he carefully chose his browser versions to get the results he wanted. I stand by my original automotive analogy: "This is a bit like Toyota comparing their safest 2007 Sedan to the late 1980's Ford Pinto and using that comparison to claim that Toyota cars are safer than Ford. Such comparisons make it look like you have something to hide."
Myth - "Firefox uses less memory than Internet Explorer"

If you could please provide a link that shows what part of IE loads when I would be interested and am still waiting for two years for proof of. Regardless the Myth is debunked.
Fascinating. I agreed with him and he still felt compelled to argue with me about it.

No, I didn't refute the common belief that IE components load at boot time, I did one better, I pointed out that it doesn't matter if they do. Even if IE components are loaded at boot, it doesn't matter in terms of memory usage comparisons, unless you can find a way to avoid loading those components when Windows boots.
Myth - "Firefox is Bug Free"

What you consider a Myth is irrelevant to what many others believe. Many people believe this and thus it is a Myth and obviously debunked.
Well, you did find ONE example of someone who thought Firefox was bug free, so I'll grant you this one. However, I recommend you find and link to more sources for this Myth. As it stands, using a Pet Lover's forum as the "source" for the myth is questionable at best. All you're really doing is proving there are idiots who don't know what they're talking about online. A quick look at Yahoo Answers will prove the same thing.
Myth - "Firefox is Stable"

Corrupt Preference Issues and Profile Issues are core browser issues! Again you show your bias for what you think the page is about, it is not to sell a browser or promote IE. I state nothing about IE here and yet you do, I can clearly see now how you are incapable of reading what I clearly state. It is to debunk Myths. This myth is clearly debunked.
Oh, that's cute! Andrew edited the page to add references to "Corrupt Preference Issues, Profile Issues, Plugin Issues." The previous version only mentioned the third party extensions.
Of course the Wayback Machine doesn't have a copy of the old page and I neglected to save a copy to my hard disk. Well, I just saved a copy of the page to my local drive, so if Andrew pulls that stunt again I'll have proof.

Anyone out there have a copy of the previous version of Andrew K's page?

I'm glad to see my article has forced Andrew to revisit and improve his page.

Regardless, the wording of the Myth is highly subjective. The source he chooses is using the phrase "Firefox is Stable" to compare Firefox to Internet Explorer. Yes, Andrew K demonstrated that Firefox is as vulnerable to bugs as any other program, but he does so in a misleading manner.

Most people use the phrase "Stable" to refer to software that doesn't crash all the time, it's safe to use in a production environment and won't leave you frustrated with lost data on a regular basis. An unbiased review of Firefox and this myth would have combined this with the "Firefox is Bug Free" myth to point out all software is vulnerable to stability issues. As it stands, Andrew K implies that Firefox is less stable than other browsers. While I can't speak for Opera, Firefox 2.x is more stable than any released version of Internet Explorer.