Sunday, December 13, 2009

Chrome vs. Firefox - Round 1!

It's been awhile since I've had a blog post. It's because I've been hard at work on a huge project: migrating over to Windows 7! I'll tell you, I will never regret it.

Something major happened during that migration, however. I uninstalled Firefox 3.5 forever! You heard me right. Now, initially I decided that with the release of Google Chrome 4 Beta with extensions, that would be the end of Mozilla on my machine. It was so far superior to 3.5 that I knew I would never go back. However, with 3.6 just around the corner, I decided to get a crack team of friends together to gather information on both browser betas before making the final call.

Hosted by imgur.com



Let's start with the number 1 reason people are switching to Chrome: extension support. Beta 4 has added support for extensions and Google has opened the extension gallery to easily search for supported extensions. With extensions like Adthwart, WOT, Drag N Go, and others, it's been very easy to make Chrome more worthwhile of a browsing experience. Let's examine them a bit closer though. The Addictive Tips Blog recently reviewed the problems with Google's extensions and why they will never compare to Mozilla's. To expand on that, we've made a list of a few more things that bug us about Chrome Extensions:

First, Adthwart (and other ad block extensions like Adblock and Adsweep for Chrome) only hides ads after they load. There is no way for any extension to physically pre-block content. This means all those horrendous interactive flash video commercials and such will still play in videos on some of our favorites like Angry Video Game Nerd and That Guy With the Glasses. This isn't too obnoxious, and they still block most of the truly aggravating ads on the internet. Another interesting thing that bugged us is actually a bug! We've submitted this bug report to Google about an issue where clearing browser data through the tool menu will clear all extension settings as well. If you use CCleaner to clear data, however, it is a non-issue, as it already bypasses that bug somehow. Another thing we noticed, that while you can use all sorts of extensions to add some of Google's best features to Firefox, the same isn't true of Firefox features to Google. With Chrome's extension API being so formative, it seems there will not be a complete library of great extensions that truly change functionality in the near future.

Speaking of functionality, let's look next at some missing functionality in Chrome. Chrome has no about:config page with which you can easily tweak performance. The tool menu has a few good options, but hardly the customization that Firefox lends. You can't set a limit to how many days worth of history to keep, for instance. In terms of performance, Chrome seems to beat out Firefox at a glance. This is because Chrome handles JavaScript a bit faster. However, Firefox has the ability to use pipelining to increase load times far beyond that of Chrome. Also, 3.6 Beta has increased cold start and warm start times, something that annoyed many users in 3.5, and by disabling any automatic updates, Firefox can load nearly just as fast as Chrome. Also, while increasing pipelines is an advanced user tweak, the Taranfx Blog and others report that Firefox 3.6 Beta also handles JavaScript about 20% faster than 3.5 did, a significant increase which closes the gap between Firefox and Chrome even more.

Also, there are several privacy issues concerning Google Chrome:
Google Chrome privacy worse than you think
Google Chrome Privacy Issues Prompts Plea To Google Execs
Securiy Issue in Google Chrome
Google Chrome Privacy Protector

We've discovered there is no way to disable the display of visited links, which makes it harder to prevent another significant security/privacy vulnerability. Though these are all fairly minor in comparison to Internet Explorer, we feel it's necessary to note them.

Google Chrome does win out in its ability to isolate tabs and extensions, however, as Firefox won't implement that function until Q4 2010 with the release of 4.0. This prevents browser restarts every time a tab crashes and extensions can be added on-the-fly. This doesn't prevent Chrome from the occasional crash, though, and we have found Firefox, even in this beta version, seems more stable than the Chrome beta. While Chrome is still a vast improvement to Internet Explorer and Firefox 3.5, Firefox 3.6 Beta wins the day.

Hosted by imgur.com
So sack Firefox 3.5, and get either Chrome 4 Beta, Firefox 3.6 Beta, or both, and compare for yourself! There's no reason to chug your way across the internet any longer!

Sunday, November 1, 2009

The Pope, Frank James, and Barb Brotman Walk into a Halloween Party...

The NPR Two-Way blog reported on Friday that The Vatican bashed Halloween celebration and Frank James (quoting the Chicago Tribune's Barbara Brotman) had some interesting commentary on the subject. I've decided in honor of il Papa that I would post a rebuttal to both sentiments here on his favored feast, All Saints' Day.

First and foremost, the Feast of All Saints' Day takes place when it does because of the Catholic Church's attempts in the Dark Ages to supplant any remnants of the old religious celebrations by forming their liturgical calendar around all the major ones. As many are aware, the end of October into early November was traditionally one of the indo-European celebrations of harvest and commemoration of the fallen, known to the Celtic people as Samhain. Other tribal groups called it something else, but the sentiment was usually similar, therefore it can be said that the celebration we now call "Hallowe'en" (or "All Hallow's Eve", borrowing from the Catholic's Feast of All Hallows or All Saints) is one that was wide spread among Western culture long before the Roman Church. It appears that Benedict XVI, former head of the Catholic office which was until the mid 20th century known as the Inquisition, is making it clear as pope that he still stands firm in his resolve to stamp out what he sees as "enemies" to the faith - including harmless secular holidays that commercialism has managed to promote better than the Church. If the Pope's stance here were in attack against "commercialism vs. Christ", I think I would have far more respect for his statement. However, it drolls on about "occultism," "pagan celebrations," and "[Satanic] sects without scruples," noting how "dangerous" the celebration of this holiday is for children. Apparently the Vatican, truly in the spirit of this holiday, prefers to try to spook its members with spiritualism rather than use logic to charm its members into more "wholesome" practices.

Now, in response to the more logical approach to hating Halloween (note the sarcasm), presented by Mr. James - in part via Barb Brotman's article - I would just like to say that you both need to take a chill pill. Really Frank, mentioning the "real horrors of 9-11" as a reason that we should stop "wasting our adrenaline" on the blood and gore-ism of faux-horror films and costuming? OK, so I might agree that often times the gore is over the top. I might agree with Barb that maybe it's a bit wrong for kids to be dressing up as throat-slasher victims and brain-eating zombies. Maybe. But to kids, it's all imaginary. To adults, around this time of the year, we get to be kids again and forget about these real terrors for just one night and pretend it's all imaginary again. So stop being such a grown-up, let your hair down, and enjoy the imaginary spooky again. Be scared in a way you can laugh at later, instead of trying to scare all of us with memories of reality! I really hate a downer...

[Editors note: All quotes are paraphrased from the article and may not be exact, however are in context with what was being stated.]

Tuesday, October 20, 2009

Finnish Ski Patrol Blows Up Your Face - Film At 11


It's the latest craze in the social networking era. At over 3 million members, Facebook has overtaken Myspace and countless other "Web 2.0" platforms to become the leader in today's social networking sphere. It's no wonder. Since the inception of the "new" Facebook, people have been migrating right and left to escape the horror of vulnerabilities known as Myspace.

However, just because Facebook is a little less inherently vulnerable - with less phishing schemes, and no custom CSS coding that can easily redirect all your traffic to an attacker's fake mockups - doesn't mean that you shouldn't investigate further into areas you might still be vulnerable.

Due to the nature of how social networking gains its revenues, they encourage a sort of popularity contest to see who can sign up the most friends, fan pages, etc. to assert that you are the King (or Queen) of the Hill. Everything that is default about Facebook makes this the case. Facebook is slightly different than other social sites, however, as it demands immediately that you sign up with your real first and last name. This should be your first red flag, as you should know immediately realize that anything you do can, and will be collected for marketing purposes unless you opt out. So even if you sign up with a pseudonym that it will accept, let's evaluate your privacy, shall we?

First and foremost let's look at Facebook's initial privacy at a glance. Every group you join, friend you add or talk to, network you become a part of, wall post you make or is made to you, fan page you join, link you post, app you sign up for, and more, shall become public domain. Yes, that's right, the default settings will leave you open to virtually everyone on the entire internet sniffing out all your bidness! And may the Great Internet Gods help you if you actually signed up with your real name! Nothing on the internet ever truly goes away! Now, luckily for you, the "new" Facebook does have privacy-minded people stuffing their suggestion boxes regularly, so more and more privacy features have been added regularly. Many of these are easy to find, however it took awhile for me and my friends to discover a way to really take control of our profiles by setting up varying degrees of circles of trust.

Now what do I mean by this? Let's say for instance that you have a social network of coworkers, another of family, some close personal friends, and a handful of professional contacts. You decide to integrate all your social networks into Facebook, because you live on the go, and this is the only way you can keep up with them all. Do you really want to let all your coworkers, family, and business contacts see those newly tagged photos of the party you got trashed at last night with all your buddies? Do your coworkers need to see your hobbies? What about your family? Do you really want to broadcast to them that you are a member of the group "super cover girls that like big wankers"? Probably not.

So other than creating fake accounts (which Facebook deems to be reason enough to shut you down) in order to manage all your varying circles of trust, how can you manage? Behold, a very nice little trick that I discovered with some Googling and testing: Limited Access Friends!

The tutorial that is linked to above will describe how to group your friends into categories, such as "Co-Workers" or "Family" or "Limited Access" and how to then establish privacy settings for these specific groups to limit their access to your page. What the tutorial doesn't describe is how you may further establish more privacy with them. You can not only limit their ability to view parts of your profile (like your friends list and personal info) or being able to post directly to your wall, but you can also limit photos and apps from being viewed. I highly suggest taking a tour around Facebook if you are a member, and examining all the various buttons and links related to settings and privacy, as they are not all nicely lumped in one place. For instance, photo album privacy isn't accessible until you are viewing your albums, and limiting the ability to view the behavior of an app is set up on an app-by-app basis under the application settings (not privacy). Obviously, Facebook wants to give you all sorts of options to establish privacy, but they want to make it as difficult as they can for you to implement it.

Also, the tutorial doesn't explain this, but you don't have to leave a window of opportunity for friends whom you send requests to viewing content they shouldn't after they accept. You can add them to (at least one of) the proper list(s) right when you send the request. (If you want to add them to a second list, you can't to my knowledge do this until after they accept, so just add them to the lowest trust-level of the two, then give them access to other content-enabling lists after they accept.)

Alas, there is no way to hide your fan pages at the moment. I recommend being careful what pages you join anyway, but it is supposed to be in the works for the near future to be able to utilize these same privacy limitations to fan pages as well.

So there you have it, privacy really can exist on Facebook. Oh, and if you are one of those people (like me) who hate all the apps and quizzes, I recommend using Mozilla Firefox and installing a wonderful script (using the Add-on Greasemonkey, called Facebook Purity. And if there is that one app you love and can't get rid of, it will let you whitelist apps, too. However, if you don't want all your information tracked by the apps, I would just not allow any of them and opt out of sharing any information via the Facebook API.

Oh, and what on earth does any of this have to do with WW2 Finnish Ski Warfare? Not a damn thing.

Tuesday, October 13, 2009

An Eye for an Eye, a Tooth for a Robbery

I was having a very interesting discussion tonight about secular humanism, which is a wonderful stance that allows for a logical debate about moral philosophy outside the context of religion. During our discussion, the concept of the death penalty came up. It was argued that perhaps a logical way to view the death penalty would be to see it in terms of euthanasia. We seemed to agree that the only place for a justifiable death penalty in a logically minded world is for that of cases of the criminally insane: psychopaths who commit mass murders without empathy, with no hope of remorse or rehabilitation. In these rare cases, the death penalty could be seen as a "mercy killing." It is like putting down a rabid dog, but not necessarily putting down every dog that bites a human being. It takes all sense of "revenge" and "justice" and the like out of the equation when factoring whether or not a murderer should live.

However, it is difficult to come up with some sort of "just" way to prescribe a law for such a thing. So I came up with a solution we could both agree upon. I decided that I should pass this along to the blogosphere to see if it might catch on and spark debate elsewhere. Thus, here is the idea: treason.

If a federal ban on the death penalty were put into effect, there would still need to be a means to eliminate the rogue element of criminally insane as a threat to society via some sort of mercy killing. But I decided that it has to be sold better than the euthanasia argument, as this will not get much steam. I decided that if we add a second clause: that all those to be tried for attempted or successful premeditated mass murder (5 or more) shall now be subject to trial by the federal government as traitors to our sovereign nation. Under the conviction of high treason, these psychopaths, serial killers, and other mass murderers would still be subject to the maximum extent of the law (death). It would require a large burden of proof that these killings were premeditated and therefore would be reserved for the slim and rare cases in which we have already determined the felon should be euthanized for their sake and the sake of society.

Thoughts?

[Editors note: The title comes from further discussion that the "premeditated" argument would prevent someone arbitrarily defending themselves from a mob to be tried for treason, whereas someone who shoots 5 people in armed robbery might. It's an interesting thought that such a clause to eliminate the death penalty in cases that it really shouldn't factor into, might deter killing in other situations that would never have factored in before.]

Sunday, September 27, 2009

Stupidity in Security

So I was reading through my RSS newsfeeds this morning and caught this article on Slashdot. The discussion is a breathtaking accord of a multitude of topics from security to the First Amendment -- which has also been prominent in the news regarding protests at the G20 summit involving tear gas and a sonic cannon. [Links courtesy The Guardian - UK]

First let's tackle the Rocky Mountain Bank incident with Google. The consensus among geeks seems to be that the bank was at fault for sending the sensitive information via email to begin with. This is a very viable argument, as SMTP servers are used by most large banking entities for this sort of communication. The communication was obviously intended to be between the bank and some large corporate entity or perhaps something internal to the bank itself, to involve such sensitive information en masse (1300 customers). It is quite logical that such a communication should have been done securely, and not to a Google Mail address. The botched communication from the bank to the completely uninvolved user, as well as future communications to that user which were not responded to, were likely sent directly to spam, or deleted promptly as being suspicious. (I mean, who HASN'T received scam emails from "banks" in the past? Anyone? Raise your hand now. Didn't think so.) The fact that the district court ordered not only that Google release the identity of the user, but also deactivate his account, is quite absurd. The bank itself should be held liable for this foolish move that has jeopardized sensitive customer information. Unfortunately, it seems that banks aren't held liable for much of anything these days:

2008 - Fannie Mae and Freddie Mac
2008 - The Goldman Sachs Group, Inc. bailed out by Berkshire Hathaway
2008 - Morgan Stanley bailed out by The Bank of Tokyo-Mitsubishi UFJ
2008-2009 - American International Group, Inc. multiple times
2008 - 2008 United Kingdom bank rescue package
2008 - Canadian Bank Bailout
2008 - Citigroup Inc.
2008 - Fortis Bank
2009 - Bank of America to help it absorb losses that were much greater than expected incurred by its buyout of Merrill Lynch
2009 - CIT Group $3 billion by its bondholders to avoid a bankruptcy

[A list of financial institutions bailed out over the last two years, from Wikipedia]

[Editors note: Just one day after posting this, I find yet another article in relationship to the subject of banks being forced to pony up on security flaws. We'll see how this one turns out...

As for First Amendment issues, apparently freedom of assembly is only a natural right, despite what our Bill of Rights states, when one obtains a permit to legally assemble. Most of the reports coming out of the G20 Summit have stated that the majority of protesters were peaceable; yet, it is apparent that a few bad actors -- and the failure to hold a permit to protest in a certain public area -- are cause to violate the rights of the whole. It is a sad state of affairs in the world of security today, both in physical and digital networks.

[Editors note: And again, just a day after posting this article, more discussions tied to the G20 and similar incidents raised the subject of excited delirium. This is a very controversial subject, however the AMAJ, CMAJ, and DSM-IV are all notably void of putting any credibility to this phenomenon which is often used to justify or cover-up police brutality related deaths. Scary stuff!