Mark Fox's Weblog

A link from Slashdot reports that the client side markup of the new “Obamafied” whitehouse.gov website suggests it was written in ASP.NET 2.0 using WebForms.

For real change switch to ASP.NET MVC.

Google has announced that it has added magazines to Google Book Search allowing users to search through what will be millions of magazine articles. Titles already available include New York Magazine, Popular Mechanics, and Ebony.

For example July 1973’s Popular Science may be the first cover story on cell phones or “Take along” telephones as they were known then.

Oddly the 1969 Popular Science covers do not include any on the moon landing!

The Mozilla Foundation has announced that is planning to end support for the Firefox 2 browser in mid-December, only six months after Firefox 3 was released.

This rapid move to ending support for Firefox 2 shows a potential danger of using the Mozilla Foundation’s products. Unlike Microsoft which has extensive support for older products the Mozilla Foundation is willing to potentially leave users behind at a rapid pace as it has less commerical concerns.

Following the release of some publicity materials one day early, Google has announced that it is developing an open source web browser based on the existing Webkit rendering engine, currently used by Apple’s Safari browser. The Google Chrome browser is described as having features that include:

• Each tab runs as a completely separate process and is sandboxed from the rest of the operating system.
• Uses an advanced JavaScript engine with on-the-fly machine language compilation and advanced garbage collection for better JavaScript performance
• Built in Google Gears support for offline web applications
• Support for streamlined mode without address bar or browser toolbar
• Other features such as anti-malware and phishing support

The features dealing with JavaScript, tabs, Google Gears and streamlined mode are critical. Together they improve the performance, stability and user interfaces of Google’s numerous browser based applications such as Google Docs and Gmail. Google is not trying to replace Internet Explorer or Firefox; they want to replace Microsoft Office.

Several questions exist: Can Google get any outside developers to work on Google Chrome or will OSS developers feel it is a distraction from Mozilla Firefox and other Mozilla projects? How will Adobe react? This push to use JavaScript in the browser is an attack on its Flash-based rich internet application plans. Finally what will Microsoft’s response be? Can they argue that now that Google has its own browser that Microsoft should be able to modify Internet Explorer in ways that promote Microsoft properties over others?

A number of tech sites are describing a new multi-stage web browser attack that has started to appear. In the attack malicious Flash-based ads, some in legitimate sites such as MSNBC.com and Digg.com are repeatedly placing a URL of a site selling fake security software in the victims’ clipboard. People are therefore sent to that site if they perform the common action of copying a URL and pasting it into their web browser’s address bar and hitting enter without noticing that the URL pasted is not the one they copied. This attack is cross-platform against Windows, Linux and Mac OS and remains in place until the user closes their browser.

Adobe has stated they are aware of the attack and investigating potential solutions.

Microsoft has stated and experts agree that contrary to some news reports (such as this particularly poor one) the recent outbreak of hacking attacks against web sites running Internet Information Services and Microsoft SQL Server is not the result of flaws in the products but rather poor coding practices in the scripts making up the sites. Developers need to follow secure practices in accepting user input.

One odd statement is found in Wired.com’s Compiler blog which states:

While the attack is not Microsoft's fault, it is unique to the company's IIS server.
The automated attack takes advantage to the fact that Microsoft’s IIS servers allow generic commands that don’t require specific table-level arguments.

The link in turn goes to a page with some of the source from the attack which states:

Crackers put together a clever SQL procedure capable of polluting any Microsoft SQL Server database in a generic way, with no need of knowing the specific table and fields layouts:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+
''''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;

This is T-SQL which is run by MS SQL Server. It has nothing to do with MS IIS with is a web server. Cursors are of course standard SQL elements and sysobjects, syscolumns and exec or their equivalents are found in all databases.

On his CodingHorror blog, Jeff Attwood quotes a story forwarded to him that describes how a user discovered that a shareware tool G-Archiver, that backs up Gmail accounts was secretly emailing each user’s Gmail usernames and passwords to its creator own personal Gmail account. On discovering this the person logged into the author’s Gmail account using the author’s username and password embedded in the utility and found in its mailbox, 1,777 emails with Gmail account information of people who used the software. The user deleted these messages and then changed the account’s password to stop the author from seeing any more emails with account information and contacted Google.

Collecting the Gmail usernames and passwords of the people who used your tool is surely illegal. I hope this gets investigated by the police.

Microsoft has bowed to widespread pressure by web development groups and announced that Internet Explorer 8 will default to its most standards compliant behaviour unless the web page explicitly requires an Internet Explorer 7 compatibility mode or pre-dates standards so much that a “Quirks” mode is used.

This is a change from what Microsoft previously announced in which IE7 compatibility would be applied unless the most standards compliant IE8 behaviour was explicitly requested.

One question is will Microsoft include a force IE7 mode command? Some IE7 compatible sites are no longer maintained and could end up looking poorly under the new default more standards compliant IE8 mode.

It’s expected that Microsoft will unveil IE8 at the MIX08 conference in Las Vegas, March 5-7.

In Canada the Microsoft-Yahoo merger would create a funny situation. As noted by The Canadian Press, Rogers Communications has a partnership with Yahoo for its Rogers Yahoo! Internet service , while competitor Bell Canada links with Microsoft's MSN for its MSN Sympatico service.

Can Microsoft-Yahoo have ties to both companies? Could one switch and link up with Google?

With Microsoft’s announcement of a $44.6 billion offer to buy Yahoo at $31 per share in stock and cash, tens of millions if not hundreds of millions of people may be wondering what will happen if their web e-mail, on-line photos, portal home page and numerous other web sites and tools that the two companies offer.

Long Zheng has posted a table that summaries the huge overlap of competing Microsoft and Yahoo offering. Among the overlaps are:

Yahoo.com vs. Msn.com, Yahoo Mail vs. Live Hotmail, Yahoo Messenger vs. Live Messenger, Yahoo Search vs. Live Search, etc.

He notes:

Now imagine for each and every one of these you have to make a decision - to keep it as is, integrate Yahoo’s into Microsoft’s, integrate Microsoft’s into Yahoo’s or even come up with a new hybrid. Simple branding aside, I think the developers are going to have to work quite a few late nights to integrate what I believe are two monolithic systems together.

I agree with his final note: Whatever they do, they better not ruin Flickr.

In a follow-up to the announcement that development builds of Internet Explorer 8 has successfully passed the Web Standards Project’s Acid2 test, Microsoft's IE Platform Architect, Chris Wilson has given details of what IE8’s rendering modes will be. Surprisingly Microsoft backed some members of the Web Standards Project have proposed that IE 8’s “standards mode” which is enabled by the presence of a DOCTYPE tag not follow standards but be the IE7 compatibility mode. Only by using an additional tag to specify that IE8 is targeted would IE8’s full standard mode is used.

This is absurd! If an html page has a DOCTYPE tag the browser should follow it. If the author inserted the tag without knowing what it means they will find out soon enough when their site looks different in IE8.

Following AOL's decision to end development on Netscape Navigator, writing in Silicon Alley Insider, Henry Blodget notes that since the Netscape name is still well known to many people who are not sure what FireFox or Mozilla, AOL should sell it to the Mozilla Foundation to be used by a rebranded FireFox. His proposal is:

Now that AOL (TWX) has officially killed the already dead Netscape browser, here's what the company should do with the brand and portal that remain: Sell them to Mozilla/Firefox. Mozilla should then rebrand the Firefox browser "Netscape Firefox," connect it to a retooled Netscape portal, and have another go at Microsoft's IE.

Doing this would help Mozilla expand beyond tech circles into the mainstream who knows that Netscape was a browser they once used or at least heard of, but have no knowledge of FireFox.

Most of the comments to this suggest ridicule the idea and claim that the Netscape brand has no value; however I think it’s worth at least a study.

In a move that ends over a decade of web history, AOL has announced that it will discontinue support of all versions of Netscape Navigator browser after February 1, 2008.

AOL which purchased Netscape Communications Corporation in 1999 had over the years reduced work on Netscape Navigator to making skinned versions of Mozilla FireFox which it helped create by converting the Netscape Communicator web suite into open source software and helping to fund the Mozilla Foundation which is the force behind FireFox, Thunderbird, Bugzilla, and other open source applications.

ComputerWorld has a detailed history of Netscape as a standalone company and under AOL.

I remember the long wait between versions 4 and 6 (they was no version 5) and the disappointment when I realized that the new version preformed very poorly and had little to show for the long wait. This was followed by more disappointment when having crushed Netscape, Microsoft basically shutdown any further Internet Explorer development. We need multiple vendors in the web browser market and its fortunate that while it could not effectively use their Netscape codebase, AOL gave it to a group that could.

The Google Reader development team inadvertently triggered a storm of criticism earlier in the month when they modified how their RSS reader worked. SiliconValley.com describes the change:

Google Reader has long been equipped with a “share” function, through which you could select certain of your feeds or specific posts to be published to a public Web page. To share your gleanings with someone, you’d send them the address of that public page and they would subscribe to it. That process struck the Google developers as inefficient, so on Dec. 14, they rejiggered things so that if someone was on your list of Google Talk or Gmail contacts and was a user of Reader, he or she would automatically be subscribed to your shared items.

While one can question whether “share” means “to make public” in the minds of users this brings up two points to consider, one for developers and one for users:

• Users could be aware that if they use a web application or a desktop application with an automatic updating feature its developers may change how it works at any point with or without any notification to you.
• Developers need to know that while many changes are readily accepted those involving privacy are accepted much less readily. Any nifty but potentially privacy reducing features should require explicit user acceptance, not turned on until the user notices the change and turns them off – if they can.

The Microsoft Internet Explorer Product Team announced on Wednesday that an internal build of Internet Explorer 8 has successfully passed the Web Standard Project Acid2 rendering test, thereby completing a feature that many have demanded – even to the point of lawsuits.

In the announcement, General Manager Dean Hachamovitch describes the team’s communication strategy.

For IE8, we want to communicate facts, not aspirations. We’re posting this information now because we have real working code checked in and we’re confident about delivering it in the final product. We’re listening to the feedback about IE, and at the same time, we are committed to responsible disclosure and setting expectations properly. Now that we’ve run the test on multiple machines and seen it work, we’re excited to be able to share definitive information.

However is this the best strategy? How confident should Microsoft be that a feature will be supported before announcing it? Could much of the frustration evident in the comments to Hachamovitch’s post of December 8th in which people were basically demanding to know what Microsoft was up to have been avoided if a few months ago Hachamovitch simply posted: “we are working hard on making IE8 pass Acid2”?

The post states that more details of IE8 will be released in the MIX08 developer conference in March in Las Vegas and a beta will be released in the first half of 2008.

The New York Times has announced that is ending its Times Select program after two years and will allow free ad-supported access to works by its columnists and to portions the newspaper’s archives in an effort to capture revenue from online advertising. The article states:

But our projections for growth on that paid subscriber base were low, compared to the growth of online advertising,” said Vivian L. Schiller, senior vice president and general manager of the site, NYTimes.com.
What changed, The Times said, was that many more readers started coming to the site from search engines and links on other sites instead of coming directly to NYtimes.com. These indirect readers, unable to get access to articles behind the pay wall and less likely to pay subscription fees than the more loyal direct users, were seen as opportunities for more page views and increased advertising revenue.
“What wasn’t anticipated was the explosion in how much of our traffic would be generated by Google, by Yahoo and some others,” Ms. Schiller said.

This will leave the Wall Street Journal as the only major American newspaper charging for online access to its content. When News Corporation bought it, many analysts discussed models in free ad supported access could bring more revenue than pay access.

SeattlePi.com reports that Microsoft and Eolas Technologies Inc. have settled their patent dispute over technologies used by Internet Explorer in a case that has gone on since 1999. Terms of the agreement have not been disclosed but Eolas did receive some money. The Wikipedia has a good summary of the lawsuit which saw an initial $500 million judgment against Microsoft in a case that had numerous experts such as Tim Berners-Lee oppose Eolas claims.

Important questions:

• Will Microsoft now change Internet Explorer to eliminate its “click to activate” work around?
• Will Eolas now go after other commercial browser developers such as Apple for its Safari browser or Opera Software for its Opera browser or even noncommercial developers such as the Mozilla Foundation which received millions in revenue via search engine agreements with Google?
• If Eolas goes after others will they fight or just pay up?

Ars Technica looks at the recently released Google Desktop 5 beta, Google’s desktop indexed searching utility. One major change examined in the article is a more graphical Vista-like sidebar with a default set of widgets that look prettier than previous versions’ mostly text based widgets.

For Vista users who would rather use the built in Vista Sidebar AccuWeather has a better weather gadget than Vista’s with features like a forecast rather than just the current weather.

Developers may want to read on article about its development on The Code Project.

Viacom which owns a host of cable networks (BET, Famous Music, MTV, VH1, Nickelodeon, Nick at Nite, Comedy Central, CMT: Country Music Television, Spike TV, TV Land) is reporting that traffic to its web sites has increased sharply since it ordered Google to remove over 100,000 video clips from Viacom shows from its YouTube subsidiary after the two companies failed to reach a distribution deal.

Unlike the search industry in which the better algorithm and data centre may win, video distrubution requires content and in this case, for commerically generated content Viacom has the upper hand. Viacom’s next task is to add user generated content such as asking viewers to upload their own remixes of Daily Show or Colbert Report clips.

Following the jury verdict awarding Alcatel-Lucent $1.52 billion from Microsoft for infringing on two patents that cover portions of the MP3 format used by its Windows Media Player a number of people have suggested that this will cause more companies to use the open source Ogg Vorbis codec as a royalty free replacement for the now further encumbered MP3 format. However as a story in Wired News notes while itsdevelopers claim that Ogg Vorbis is patent-free nobody really knows if this is true.

In this case Microsoft licensed patented MP3 technology from Germany’s Fraunhofer-Gesellschaft Institute but the jury decided that Microsoft infringed on other patents from Alcatel-Lucent. If the Fraunhofer-Gesellschaft Institute had open sourced their technology rather than charge for it, the verdict would have been the same. Developers and companies switching to Ogg Vorbis should keep this in mind.

Slashdot has a link to a study (PDF) by Stanford University and Microsoft Research researchers that claims that the use of Extended Validation (EV) SSL Certificates does not prevent “picture-in-picture” phishing attacks which are attempts by malicious websites to fool people into submitting data to an image or form that simulates an entire browser window containing a legitimate website. Since the actual web browser window would still be visible this seems like something that people would be unlikely to fall for. However the researchers found that some people did fall for such a trick. In fact people trained in the significance of the green address bar displayed by Internet Explorer 7 when encountering a site with a valid Extended Validation SSL Certificate were fooled more often that and those who not trained. One reason for this was that when they saw a fake EV SSL Certificate displayed by the phony web browser the users were less likely to challenge the fake.

One idea I have to prevent people falling for a fake web browser would be to have the user select a favourite word when installing the browser. Any window displayed by the browser would then include the word in a place that is always visible. No site trying to create a fake window would know the favourite word and therefore could not display a convincing fake window.

Any other ideas?

Kevin Drum of the Washington Monthly Political Animal blog and originator of Friday Cat Blogging reports that his cat Jasmine, who along with his other cat Inkblot was one of the two original Cat Blogging subjects passed away on Thursday. She will be missed.

I installed Internet Explorer 7 from the Microsoft download site on a machine that currently had IE 6 and Mozilla Firefox 1.5. Some initial thoughts on the user interface.

The position of the menu bar in IE7 simply looks odd, unlike Firefox and every previous version of IE, it is located below the address bar, not above. The menu bar can be hidden through a popup menu if you right click on it for the toolbars. Pressing Alt displays it temporary. Most commands from the the top level items File, Favourites, and Tools have been included in the Page, and Tools toolbar buttons on the right and the Favourities centre on the left so maybe the menu bar is not needed. I’ll try keeping it hidden for a while.

Closing a tab in IE7 is more difficult than in Firefox. In IE7 the close button for a tab is on the tab itself, you must hunt for the correct tab to find the button. In Firefox the close button is separate from the tab and always at the same spot on the right side of the window. For example:

If I select the second tab, it is located on the tab itself.

Selecting the third tab moves the position of the close tab button.

With Firefox the tab close button position is unchanged. It is on the far right when the second tab is selected.

Same position with the third tab selected.

Update: October 25, 2006

With Tuesday’s release of version 2.0, Mozilla Firefox has moved to the close button on each tab camp. From News.com’s review:

The camp in favor of having a "close" button on each tab has won over the majority who argued against them, Beltzner said. Previously, there was one "close" button at the right of the bar. Clicking on this closed only the one last viewed--but it could be difficult to work out which one this was. "Google did usability studies with eye-tracking tools and determined that people actually look to the tab first, and it would take longer to determine if they had the right tab and were ready to close it," Beltzner said. "NASA Ames recently did cognitive modeling for us on tabs. Not only was 'close' button on a tab quicker, but people would be more accurate. They also gave us good data on how wide tabs had to be before people clicked on the wrong one."

Observers have noticed a few problematic items in Microsoft’s Zune portable media player, which it unveiled last week. Firstly it is ever so slightly larger than the comparable 30GB iPod and the announced battery life is less. Even the slightest extra weight or size will no doubt be remarked upon in any review.

Secondly the Zune will not play DRM protected music sold through Microsoft’s own Windows Media "PlaysForSure" system used by online stores such as Napster, Rhapsody, MTV's Urge and Yahoo Music Unlimited. Microsoft defends by stating that the Zune is designed to be tightly integrated with the Zune Store just as iPods are designed for iTunes and it hopes to continue to work with its PlaysForSure partners RealNetworks runs the Rhapsody music service may develop its own end to end solution in response.

Finally many feel that the Zune’s highly touted wireless music sharing system is not only too limited but may violate the Creative Commons (CC) license by wrapping all shared music including freely available CC-licensed works with DRM protection that limited the recipient to playing the music three times over the next three days (via BoingBoing). This shotgun approach is likely due to the difficulty of determining if a song tagged as CC-licensed is really free or a commercially limited song that the Zune's owner retagged in software.

I think Microsoft should take the following approach to sharing music between Zune devices.

• If the track is from the Zune store and the recipient subscribes to the rental service than they should be able to listen to it as much as they want just like any other Zune store track.
• If the track was purchased from the Zune store and the recipient does not subscribe to the rental service the three plays limit should apply.
• Tracks from other than the Zune store should either be freely sharable or not at all.

Update: September 20, 2006

Ars Technica has more details on the Zune music sharing system. Unprotected files will not be modified; rather the receiving unit will implement the 3 plays in 3 days rule. Also tracks received by sharing cannot be shared in turn. Finally the article notes that Microsoft still vague about what can be shared, maybe unprotected files cannot be shared at all.

Yahoo! owned photo-sharing site Flickr has added geotagging to allow photos to be explored by place. The Ajax based interface allows users to drag and drop photos onto a Yahoo! Maps target to select photo locations.

Flickr has announced that within one day, there were 1,234,384 geotagged photos and 1.6 million by the time they blogged about it 9 hours later.

See my photostream, "Mark At Avondale" at http://www.flickr.com/photos/99118482@N00/

AOL apologized today for releasing earlier in the month information about 20 million-search queries by about 650,000 AOL users. While the users were supposedly made anonymous by replacing the users’ AOL ID with a random number the number remains constant for each user throughout the search log. As a result it may make it quite easy to determine the identity of individuals. Michael Arrington of TechCrunch notes:

The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with “buy ecstasy” and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless.

Previously Google fought a US government request for similar data, eventually agreeing to give a small sample of queries, but not linked by a real or randomly assigned user ID.

Markertwatch.com says that the disclosed data came from roughly 1.5% of AOL’s May search users and the data included roughly one-third of 1% of the total searches conducted during the period.

Update: August 9, 2006

As an example of the extent to which the leaked data might include private information, the New York Times successfully identified an AOL user from Lilburn, Georgia just from her query strings. With her permission the Times includes a subset of her queries and what she says she was looking for at the time.