Category Archives: internet security

A Google Engineer who sees the outsider perspective?

I know that as a stubborn old nerd I can be pretty hard to win over, and as much as this Google Engineer claims to have accidentally leaked his rant, I read this as intentionally made public from the get-go just by the way it was written to ‘everyone’ in a few spots. I could be wrong, but I’m not reading this as a leak, just as a rant.

Ranting google employee

The full post is, amazingly enough over on Google+ as a public post (although the original author has pointlessly deleted it). I shouldn’t say it’s really amazing that the post is still public, people duped it instantly so there’s no point in trying to remove it now.

Make no mistake, there’s a few good points from Steve Yegge; I find some of the observations to be true but mostly from an outsider standpoint which is shocking because it was written by a fellow with almost 6 years of experience in the company. Google does have platforms, they do use them, and they do share them. True there’s always been an obvious panic towards security that’s effected accessibility, but then Google’s track record probably wouldn’t be as amazing with a more casual approach to giving outsiders access to core tech.

Amazingly of all the points made, the one that echos most with my opinion is that Google is becoming arrogant and almost needs two versions of projects like Google’s Chrome browser. One version that runs super secure, fast, compatible, and sleek, with no frills or compromises. The other needs to be as bloated as FireFox/Opera, and it’d run like a buggy mess of poorly considered features that are starkly incompatible with themselves. To quote Steve on arrogance and Chrome development:

“You know how people are always saying Google is arrogant? I’m a Googler, so I get as irritated as you do when people say that. We’re not arrogant, by and large. We’re, like, 99% Arrogance-Free. I did start this post — if you’ll reach back into distant memory — by describing Google as “doing everything right”. We do mean well, and for the most part when people say we’re arrogant it’s because we didn’t hire them, or they’re unhappy with our policies, or something along those lines. They’re inferring arrogance because it makes them feel better.

But when we take the stance that we know how to design the perfect product for everyone, and believe you me, I hear that a lot, then we’re being fools. You can attribute it to arrogance, or naivete, or whatever — it doesn’t matter in the end, because it’s foolishness. There IS no perfect product for everyone.

And so we wind up with a browser that doesn’t let you set the default font size. Talk about an affront to Accessibility. I mean, as I get older I’m actually going blind. For real. I’ve been nearsighted all my life, and once you hit 40 years old you stop being able to see things up close. So font selection becomes this life-or-death thing: it can lock you out of the product completely. But the Chrome team is flat-out arrogant here: they want to build a zero-configuration product, and they’re quite brazen about it, and F*** You if you’re blind or deaf or whatever. Hit Ctrl-+ on every single page visit for the rest of your life.”

As Steve deleted the original post he put up a good bit on why it’s bad to have such things in public:

“Please realize, though, that even now, after six years, I know astoundingly little about Google. It’s a huge company and they do tons of stuff, and I work off in a little corner of the company (both technically and geographically) that gives me very little insight into anything else going on there. So my opinions, even though they may seem well-formed and accurate, really are just a bunch of opinions from someone who’s nowhere near the center of the action — so I wouldn’t read too much into anything I said.”

I really couldn’t agree more. If this had come from someone working with Google’s engineers on something such as the GO language it would have been a different story, but Steve’s admittance of the scope of his role is very honest and worth considering as you read his rant.

TL;DR – Google guy rants about Google’s strategies from an outsider’s perspective and calls out some of the lingering issues with Google’s dev teams/arrogance. Everyone would like to see Google bend more and give more, though nobody can seem to qualify themselves to say if it’s really the wisest strategy.

1st SEO Impressions of Windows 8

I started my computer life on an Apple II PC, my first gaming/entertainment electronics experience was the Lesiure Vision, and it wasn’t until high-school that I met my first IBM, an XT with an attitude. So in my years you can bet I’ve seen a few operating system ‘revolutions’, heck the first computer I paid for with my own money was the Mac Classic back when it was the first PC to have a mouse and ‘Windows’ (plus it could talk!). :)

Things have changed a bit since that 8mhz Macintosh with it’s single color 10″ non-upgradable screen. The 4mb maximum limit of RAM that was a selling point of my Mac isn’t even enough for a modern CPU cache, let alone an OS + applications, and ‘booting from disk’ has a totally different meaning.

Along comes Windows 8 and I really felt that I needed a new operating system like I needed a new hair in my nose, so I was in no rush at all to review it. The situation reminded me of a quote from Tron 2.0:

“..what sort of improvements have been made in Flynn… I mean, um, Windows 8?” .. “This year we put an 8 on the box!”
Encom OS-12

Well it’s not really that bad, in fact the more I poke at Windows8 the more I see it’s potential and I can see how it could be a game changer for a web based business. Here’s why:

  • The start menu is now a web page with tiled animated content including feeding from websites like XKCD.com:
    Embedded websites in Windows 8 Start Menu
    – Do you have your website setup properly to feed the new start menu when people add your site there?

  • IE10 is the browser the OS uses, you can install another, but it won’t get loaded until you specifically load it
    – Does your site look the way you’d expect in IE10? I know our aging site layout looks different in IE10.

  • There is no prompt to chose a search engine, you’ve got Bing and what more could anyone want?
    – This could divide the consumer base among power users who have fiddled and those who just use things ‘as is’. Depending on your market this could change the way you look at Bing.

  • Clicking the “Make Google my homepage.” link on the google.com/.ca homepage currently causes IE10 to load a blank white page instead of the default home screen.
    – Does your site use similar javascript? Will you have the same issues with IE10 users?

  • Built in applications for reaching social networks aren’t broad enough. “Socialite” program for FB only works with FB, and drops support for Twitter, Reddit, Google Reader, Flicker, Digg, etc..
    – Speaking of which, how cozy are you with giving MS access to everything?

    Windows 8 Socialite Preview for FaceBook

Mind you, with all the stink that’s getting raised over the UEFI secure boot protocol, the rate of adoption for Windows8 could be pitiful. If Microsoft’s hardware partners went ahead with the new feature it would lock out other OSes and force people to deal with one source for new OS installs/upgrades.

Google+ starts Name Verification

There are some really famous people reaching out to fans on-line, but if you just got a notification today that someone famous has added you to some circles what can you do to see if they are who they say they are?

Imposters everywhere

Until recently, there wasn’t much you could do since Google+ has been busy growing and tackling other issues. Now you can start looking for the verified check mark to confirm that the person you’re looking at has been verified by Google+.

Fake Ted Danson Google+ profile

This is also very handy for people who have taken on names that may seem ‘fake’ but are legal names. I’m not sure if the artist formerly known as ‘Prince’ has found a way to express his name with traditional characters, but my guess is that he’d be detected as having a ‘fake’ name if he did.

Google even released a video from Google staff member Wen-Ai Yu that explains the new feature a bit more:

She does a great job of introducing the new feature, and some motivations, without going much deeper. Sadly there’s no mention of how to apply for the verification status in the video or the posts I’ve found so far. I’ll be watching for the info on getting verified and will update the blog when I find it.

Wen-Ai Yu did however give us a link to the real Dolly Parton’s Google+ profile. Yeehaw!

Google+ Free For All

If you’ve been able to get on-line with all the outages this morning (EAST-1 was down for a bit) then you may have seen a number of links showing up for ‘free invites’ to Google+.

Free for all tomato fight

I know we did an article about the rumor that Google+ was going to accept new sign-ons without invitations on July 31st, but this came from the ‘official Facebook group’ which was a rather poor source. To my knowledge, the rumour never panned out and we still have an invite only system in place where Google can track how each person is related to the next. It’s not hard to get into Google+, it’s only difficult to do it anonymously.

Almost all the links are valid, point to a “ngemlink” path, and seem to work, even though the final section appears to be totally random:

Random invite example #1
Random invite example #2
Random invite example #3

This would mean that advertisers, groups, and other technically ‘unwanted’ new users should be hitting the system for the first time without a legitimate connection to the accounts that are letting them join? If that’s the case, where’s the response? The only thing I found related to spamming on Google threads today was this little thank you picture:

Google Voice anti-spam

Perhaps I am in a quite circle of the web and I haven’t got the exposure to such things, but my Google+ profile has been entirely spam free. Indeed, the worst offender for spamming are associates in the SEO business that like to push out a few posts per day due to the wide range of stuff they tackle. Most of that content is related to topics that I’m interested in both professionally and personally, so it’s not really spam per se, just an excess of content that dwarfs the smaller feeds.

It’s quiet, almost too quiet..

Google is taking out the trash

For some time now the “free hosting” Korean company Co.cc has been a target of malware, phishing, and large volumes of spam content.

Over at Google I can picture a hand full of their best ‘whack-a-mole’ admins looming over activity from .co.cc sites.
Endlessly fighting spammers

It’s anyone’s guess what kind of resources this one company has tied up over at Google (and other search engines) but I’m going with “too much” as my guess. When you consider that most of the results are spam, and the rest are mainly malware and phishing attacks, it shouldn’t be a shock that Google has done us all a favour and just blocked the whole *.co.cc stream from showing in the search results.

Sadly, spammers will be spammers and already I can see http://jzp.cc/ is acting as a portal to .co.cc sites and Google is currently showing these sites in their search results.

Google needs a bigger hammer
Wait, I see the problem! Going to need a bigger hammer!



The very unpleasant problem with this tactic is that the spam tends to just squish around, like a full diaper. The .cc TLD belongs to the Cocos Islands in Australia and while there are legit sites on that domain, the figures from the Anti-Phishing Working Group in 2010 are quite amazing. In the latter half of 2010 .cc domains accounted for almost five thousand phishing attacks in that time period!

While the percentage of good sites in the .cc realm might be questionable Google is effectively removing over 11 million registered domains run by almost 6 million users! My personal guess is that the block will stay up for some time, and once the spam has shifted elsewhere, we’ll silently see .co.cc domains back in the search results.

Google has stated they aren’t above blocking an entire bulk sub-domain in the past, they have clearly proven they will follow through, and I expect them to continue to do this as companies lose control of the content from their users.

The best way to fight spam is at the user level. Do you purchase anything that was ‘spammed’ at you? Are you rewarding people who put things on-line for your review, or are you spending money on things that are forcefully presented to you without solicitation? If the only way to make a sale is to respect the customer, retailers wouldn’t spam us because they would shoot themselves in the foot. As the consumers in this ecosystem of commerce, the matter is entirely in our hands if we so choose.

Bitcoin takes a beating..

Bitcoin had a serious case of the Mondays yesterday as the EFF dropped the currency for donations, and MtGox, a major international exchange, managed to spill over $5 million worth of BTC in a public ‘free for all’ moment. One lucky fellow snatched up over $5 million worth of BTC with a mere $2,613 by wisely setting an unlimited buy order at $0.0101 (everyone else was bidding $0.01).

The EFFs move wasn’t so bad when you pick it apart. Accepting any donation might seem harmless, but if the charity needs to convert that donation to a currency then it becomes an issue. The EFF cannot responsibly spend BTC, or exchange it, without exposing themselves to legal entanglement in doing so. Until the currency is ‘trouble free’ the best option for a huge non-profit is to avoid that donation.

In a post from Cindy Cohn on the EFF blog the issue is broken down three ways:
EFF Logo

  • Lack of understanding with regard to legality of BTC
  • Misleading donors with regard to value and use of donations
  • Giving a false endorsement of Bitcoin technology

Going forward the EFFs plan is to simply dump the donated BTC into the public faucet where they will be given away in small chunks to fresh Bitcoin users (or existing users who have never drank from the faucet). Don’t hurt yourself rushing on over for your handout, the current give-aways are only around 55 cents US when there’s more than 50 BTC in the faucet.

Speaking of give-aways, the $5 million I mentioned at the start of the article is apparently pending the decision of the folks running the exchange. The story is the very essence of TL;DR, so let me try to put it into point form:
BTC Value

  • MtGox setup a BTC exchange in Japan
  • MtGox’s auditors were hacked and an encrypted file was stolen
  • Alerts went out to change passwords and secure accounts
  • At some point on the 19th an MtGox user put a gigantic sell order up
  • As the sell was taking place Kevin Day took note, offering $0.0101 per BTC
  • By the end of the trading Kevin had purchased ~260k BTC for $2,613
  • Kevin took out 643.27BTC (~$8,000 US) and placed it into a personal wallet
  • MtGox claims that the day of trading broke exchange rules and must be reversed
  • Initially MtGox was considering a review by the FBI but at the moment it seems they are focused on a roll-back
  • MtGox has not mentioned an ability to reverse coins that left the exchange which creates a large problem

At this point the MtGox sites are having a hard time staying up and as of 11:40AM GMT they are struggling to allow users access to ‘reclaim’ accounts. I gave up on the site personally and have just been looking in Google’s cached results (a great solution for overloaded websites any time something like this happens).

There is also mention of the exchange going back on-line when the accounts are sorted out, and the claim that once the site is back on-line, trades 218869~222470 will be reverted and the exchange price will be going back to ~$17.50/BTC. Given everything that has happened this seems really optimistic to me.

Can’t wait to see what happens tomorrow.

Jobs gives the skinny on iCloud

A slender Steve jobs came out of medical leave to deliver the keynote address at the 2011 Developers Conference hosted by Apple.

South Park version of Steve Jobs

Looking more like the South Park rendition of the man behind Apple, Steve was notably tired and unhealthy looking (much like the Canucks last night) as he delivered all the details on the new iCloud service:

- Works with iPhones, iPads, iPods, iMacs, and iBooks
- Synchronizes contacts, calendars, and files among devices
- Basic service is free (replacing the $99/yr MobileMe)

While the offerings are similar to free services from Google, Amazon, Dropbox, etc.., they are some firsts for Apple and will assist Apple users who have legacy audio on CDs.

For a fee of $25 (US) each year, Apple will scan the hard disk of a customer to seek out all non-iTunes music on the assumption they were converted from a CD the user owns. Music that is not already on iTunes will be uploaded to iCloud. If the music is already on iCloud then the song will be added to the user’s iCloud locker without the need to re-purchase music.

Apple mentioned that they are in talks with major recording companies to make this possible, which is a far cry from having those companies on board with such a consumer-friendly design.

Also announced was the Lion OS update for Macintosh. Consumers next month will be able to purchase Lion for $32 and can expect enhanced touch control features, like task switching with gestures, to be included.

iOS5 was also mentioned, as it will come with a new showcase for content that used to be the domain of printed materials, such as newspapers and magazines. Consumers are supposed to think of this as a digital newsstand, however there was no mention of how this presentation would make the content more accessible or interesting. Tweeting from photo apps and more social media connectivity with Facebook seems to be one of the biggest highlights, but we can expect more details closer to the release date.

PS: Don’t forget, tomorrow is IPv6 day, don’t miss your chance to be part of the test.

Windows 8 – First public showing

Yesterday was an exciting day for more than just hockey fans (Go Canucks!). Wednesday was Microsoft’s first public showing of the new Windows 8 user interface.

Windows 8 Start Screen

Microsoft isn’t kidding when they admit to having some strong influences from the mobile phone market!

Moving towards web technologies and taking a page from the ‘Google Gears’ handbook, Microsoft is saying that Windows 8 is geared towards 2 unique application types. The first being the traditional compiled windows application including games and software you currently run on windows. The second would be more of a full screen HTML5 + Javascript full screen application.

Google made great success out of exploring what a browser can do without an internet connection when they built the Chromebook and Microsoft clearly wasn’t ignoring this development. Beyond the usual stock tracking widgets and weather displays that could be running from an internet connected browser, this will extend to innovative applications like the customizable touch Piano application that was demonstrated.

Hardware in general seems to be an interesting focus of Windows8

  • Internet Explorer 10 is built into Window 8 and it will be very touch friendly, allowing the OS to run on a tablet or make full use of a PC with a touch screen.
  • Microsoft has stated the OS will be compatible with ARM processors and NVidia hardware. There should be a showing of that later today.
  • Windows 8 continues the tradition of Windows 7 where dependance on improved hardware is not a given. Indeed the way forward seems to be extracting more from the current hardware vs. demanding more under the hood for each new feature.

Our next public blurb from Microsoft on the Windows 8 front is due in September during a developer conference in California.

 

Dave’s Footnote:

While this post focuses on Windows 8, Dave believes that the author may have glossed over the truly important point (tsk tsk Ryan) which is captured in the following video:

There’s no defense for popularity..

I was going to title this post with something a bit more ‘Apple’ but the real problem with malware is popularity.

Recently Apple had to fight off a rather annoying malware attack from an application called Mac Defender that masqueraded as a useful utility for Apple’s OSX. Users duped into installing the fake application were rewarded with unwanted content and a security breach of private files on the machine. Many sites grumbled that Apple’s fix took 3 weeks to deliver and users who weren’t savvy were available victims for that time period.

Last night I started getting pings from news sites on the web that a fresh deployment of MacDefender was hitting OSX users with a slightly different name of “MacGuard”. Along with the name change the new malware seems to have found a loophole in the installer options that allows it to self-install without even needing to trick the user into clicking anything. Clearly Apple will need to have a better response time than 3 weeks on this new version of the malware:

MacDefender

From early reports, if you are not surfing the web as an administrator the malware cannot install itself without prompting for the administrator password, which should help slow down the spread. Sadly OS X’s default account is the administrator account, so it’s rather common for users to be surfing the web as the administrator.

“Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.”

Lets be clear however that savvy users saw this coming and it was really only a matter of time before the popularity of OS X became a problem. Now that it’s worthwhile to go after OS X users, expect it to happen, and take every precaution you can. Hopefully Apple’s next update won’t take too long.