“Call ‘em out” The Indiana state website is using Microsoft crap and screwing over standards-compliant browsers

As many of you know, I begrudgingly use Windows:

That doesn’t mean that I love it, and I certainly hate Microsoft Internet Explorer. Seems that some sites still don’t get that IE is a turd and that it’s not what their visitors wish to use.

Well, I had to print out a license I hold from the Indiana State Department of Health yesterday and guess what came up?

Notice the “.aspx” extension? Means they’re using Microsoft ASS.NET, errrr….. ASP.NET. No wonder it breaks when you’re using Opera.

Not every ASS.NET page breaks in Opera, but nearly every page that does break in Opera is built with ASS.NET. (On a side note, Silverblight won’t work at all, but who cares?)

Maybe now that the FCC is making a landgrab  for the internet under the veil of “network neutrality”, they can enforce real W3C standards on the assclowns that handle Indiana state websites.

Another Microsoft horror story, the Huntington Indiana public library

I’ve been meaning to mention this for a while but just never did until now.

If you want a prime example of how reliance on Microsoft software damages the community and betrays the public interest, look no further than the Huntington, Indiana public library.

To say nothing about the potentially tens of thousands dollars their reliance on Microsoft software has cost taxpayers in Huntington County directly, their reliance on it also conflicts with the budgeting they’re allocated to the point where they paradoxically  almost never upgrade anything because it will cost money.

Case in point: Their website. If you look at the source, you’ll see meta name=”GENERATOR” content=”Microsoft FrontPage 4.0″.

When was Microsoft Frontpage 4.0 out?

2000. Now I’m no mathematician, but 2009 minus 2000 means that their web page generator is 9 years old and still targeting Microsoft Internet Explorer 4 (which was still in wide use back then).

Why bother having real bona fide web standards if public institutions entrusted with public money squander and abuse their budget?

Now, judging from the image on the top right of the page which is a 1.3 Megabyte JPEG at a resolution of 2204 x 1364 pixels which someone tried laughably to turn into a thumbnail, when any semi-competent Windows user would know that even paint.exe can resize an image, I am kind of left to deduce that some fucking idiot without even the slightest skillset produced these pages.

With their caveman wit, they chose 10 year old standards-violating Microsoft products and couldn’t even figure out how to resize an image with some bundled freeware.

People like this are a disease.

The IT department

Moving on… Someone thought audio books in DRM’d WMA would be a good idea:

This means that if you’re not using Windows XP or Windows Vista, you can’t check out an audio book, so suddenly the library isn’t just abusing your tax money, they’re practically ripping money straight out of your wallet. I’d liken the Huntington Library using DRM’d WMA to a daylight theft by a pick pocket that the police wouldn’t do anything about.

That means that since I have Kubuntu Linux on my main system right now, that I can’t just load the audio file into my media player and hit play because it won’t work. It also won’t play for Mac users.

The library could use Speex, which is a codec in the public domain with no royalties and broad cross platform support, but the Imaginary Property pushers at the book publishing companies wouldn’t go for that. Who made the law that says that knowledge has to be bottled up to protect the profits of a few corporations, at the expense of the entire public?

Federal lawmakers who have been bought by lobbyists and other special interest groups of course. This one isn’t to be squarely blamed on the incompetence of the Huntington Public Library, but also on state and federal lawmakers betraying their duty to the American people.

And lastly, the internet computers at the Huntington Public Library all run Windows XP:

This falls back under the categories of incompetence of staff and the misappropriation of public tax money.

Not only that, but Windows is so susceptible to viruses and worms and spyware that would never affect any operating system where security was one of the design concepts from day one, that the Huntington Public Library has locked all of them down in the mistaken belief that this will protect them.

They’ve locked the systems down so tightly that you can’t even use sites that have been designed with Flash or use thumb drives you brought from home. Whoever did the locking down also missed one giant problem, they all use Internet Explorer 6. The least secure web browser ever.

What is the alternative?

The library in Marion, Indiana, just 15 miles or so south of me, uses Linux. Not only do they use Linux, they use a distribution based on the free Fedora Linux called Userful Discoverstation which uses terminal multiplexing. This allows one tower to power 10 workstations with their own monitors, keyboards, and mice. This is not only much better for the environment than having 10 boxes running their own copy of the OS, it saves on the electric bill, and they don’t have to buy licenses from Microsoft. (You could set up a free Linux distro to get the same effect, Userful just makes it easier).

Userful creates an account that is deleted when the user logs out, and times the session to last however long the library allows. So instead of the librarian having to get up and tell someone who is hogging the computer that their time was up 30 minutes ago and others are waiting, the system gives them a warning 10 minutes before they’re logged out to get their shit together and get lost. (In more diplomatic terms obviously).

The systems are secure with the normal permissions of a Linux user account plus the standard SELinux targeted policy inherited by Fedora which helps keep malicious remote attackers out. Since there are very few security concerns on Linux and because the user is literally incapable of any lasting damage to the system, you can do anything on one of these boxes that you could do as a user on your PC at home. (except for clearly Administrative tasks). Where the Huntington library Windows XP systems are useless, I was using the Linux system at the Marion library to log into Pidgin instant messenger, browse with Firefox, plug in a thumbdrive with documents saved on it from home, and EVERYONE is allowed to do this because the system is in no danger.

So I guess the thing to take from this if you’re the Huntington Library or are in a position of trust to use taxpayer money in a non-frivolous manner and to not discriminate against users with disabilities or with non-Windows systems (or browsers other than IE), is that you should never use Microsoft products in this setting.

They are wholly inappropriate with no merit whatsoever in this use case.

I emailed the Huntington library with my concerns about six months ago and they never bothered to reply.

Mozilla Firefox attacked by a spyware extension

According to Trend Micro, there is now a spyware extension in the wild for Firefox.

We have seen a lot of malware target Internet Explorer in the past. This is probably one of the reasons why a huge number of users are opting to use alternative browsers…Though this used to be considered a safe computing practice before, it seems it no longer is with the proliferation of malware ]targeting] the most popular alternative Internet browser—Firefox.

Infected Firefox users will see this:

Pretty convincing huh? The spyware extension tries to sucker in unsuspecting users by posing as an Adobe Flash update.

I’ve made the case for quite some time that this could happen because there is no real security model for Firefox extensions and that they have the same rights as the logged in user.

This is also a good example of cross platform malicious software. Since Firefox extensions can work on any platform Firefox supports, this spyware also affects Linux, Mac OS X, the BSDs, and every other OS where the user is running Firefox.

Remember, if you use Firefox, that there is only one place to get extensions. https://addons.mozilla.org DO NOT INSTALL EXTENSIONS FROM ANYWHERE ELSE!

Anyhow, this is exploiting the user through a social engineering attempt rather than a browser exploit. Remember when the only warning Internet Explorer 6 gave about an ActiveX control may very well have been “Click here to install ‘install this plugin to watch all the porn on this website!!!’”, Firefox is not even that safe, because the malware vendors had to spend $200 to get Verisign to sign their ActiveX control, it doesn’t cost them anything to make or distribute a Firefox extension. And Internet Explorer now makes you click through the information bar warning, then the installer prompt, THEN it sandboxes the plugin (if you’re on Vista or Windows 7) so that it has no access to anything outside of the browser.

Firefox doesn’t even have this minimal protection from malicious extensions, any extension you install has write access you your User folder (Vista, 7, Linux. OS X, FreeBSD) or your entire system (Windows XP), and possibly your entire system on systems other than XP if it can figure out how to elevate itself.

Weak sudo password that can easily be brute forced, piggybacking onto a Microsoft system component in Windows 7 that’s allowed to silently elevate, relying on user ignorance when clicking on the UAC prompt to “Accept”, etc. I wouldn’t even be surprised if the malicious extension site asked the user to click the UAC Accept button.

So far, even with the myriad of remotely exploitable Firefox vulnerabilities, none have really been a runaway success due to the rapid patch turnaround time of Mozilla and the automatic update function. The problem is that there is no patch for an ignorant/stupid user.

So even though *you* know to look out for malicious Firefox extensions, you might be on a shared computer where your kids will be able to install malware through Firefox, so what do you do?

First, consider switching to a more secure browser:

I can almost hear you sarcastically quip “Now where have I heard THIS before?”, but the truth is that there are browsers that are reasonably safe because the vendor did not foolishly allow extensions running as full programs. Nothing as complex as a web browser will ever be bulletproof, nothing that has to run advanced scripting languages and support file transfer operations that were designed years ago can be. Indeed nothing with hundreds of thousands of lines of source code (or tens of millions in an operating system) can ever be fully debugged. I never say “Program X is fully secure” I can only say, truthfully, that “Program X is probably more secure than Program Y”.

I recommend Opera 10, I wrote about just why yesterday. It will be released tomorrow, September 1st. The RC is still available at www.opera.com/next if you want to install it today and use the built in updater tomorrow. Opera Widgets are limited as to what they can do for exactly this reason. Mozilla has rolled out a red carpet with their extension system and it looks like now that Firefox has users, the spyware writers have decided to come to the party. Firefox extensions are almost exactly like the bad old days where Microsoft just threw ActiveX into Internet Explorer with the stated purpose of extending the browser, without a reasonable security model. Just like these ActiveX plugins in IE 4/5/6, Firefox plugins and extensions are full programs that can do anything they want, not only manipulating the browser, but limited only by what the Firefox process is allowed to do to the system.

Second, consider a disposable user account:

Ubuntu as of 9.04 has a Guest User account, consider making other users of the computer who may install malicious software use this account. All the changes they make to that account, including the Firefox profile, are deleted every time they log out. If this is too frustrating, then give them their own account but do not give them access to sudo. No sudo means that the damage and malicious software in their account cannot affect other users of the computer or any system files.

Windows has various options for accomplishing the same thing, Windows XP and Vista users can use SteadyState, Windows 7 users can set up an account and configure it to use Guest Mode when the desired state is set up. (Not to be confused with a Guest Account) While in SteadyState or Guest Mode, an account cannot harm the system or other user accounts and all files and settings are deleted when the user logs out. An account can be turned back into a normal account by turning SteadyState or Guest Mode off. Again, if this is too much hassle, at least make them an account that is a “User Account” *NOT* “Administrator”, and damage and malicious software in their account shouldn’t affect other users or the system. It also stops them from installing software globally. (That is, they can only install software that resides in their User folder and doesn’t require access to the system.)

Perhaps the troubles with Apple software and “Free Software” are an “inconvenient truth” that some people will stop at nothing to cover up, but this false sense of security that these deniers provide you with is just as dangerous as Apple proclaiming that Macs are immune from viruses while they silently added a malicious software scanner into Snow Leopard.

Perhaps they could call the scanner “SnowJob”, or is that SnowJobs? *smirk*

Opera 10 is almost here!

The Release Candidate of Opera 10 landed a few days ago:

I’ve been using the (roughly) weekly builds available on the Opera Desktop Team Blog for quite a while, but since those are potentially-unstable testing versions with features that may or may not make the release, I did not want to comment on it one way or the other until I was satisfied that I could give something close to the final code a decent review.

As you may or may not be aware, the Opera browser is one of the older ones, not the first, but it is the oldest surviving browser still being actively developed. It not only predates Firefox, it also predates Monopo$oft Idiot Exploiter Internet Explorer.

You may have even used Opera and not been aware of it. They are the only worthy browser on mobile phones, and roughly tie the mobile version of Safari (which only runs on the hypePhone) for user share. (In fact, Apple blocking Opera on the iPhone is reason enough to avoid the iPhone in my opinion.)

Opera started out as a skunkworks-type project at a Norwegian phone company back in the early 90’s, version 1.0 was apparently never circulated.

I personally started using Opera in 1998. It was small, so small in fact, that before version 5.0 the installer fit on a floppy disk. It was fast, dramatically faster than IE (still is) or Netscape Navigator (R.I.P.), had bleeding edge support for W3C web standards (still does), and it had a feature that most people probably thought was invented by Firefox, tabs.*

(*Well, actually, better than tabs, a true Multiple Document Interface where every tab was also it’s own window, this can still be activated but it defaults to tabs for the sake of users familiar with Firefox.)

Every release of Opera has had better overall support for W3C standards than any competing browser at that time. Unfortunately a lot of pages were written to humor Internet Explorer’s horrible nonstandard Trident rendering engine and so you sometimes still had to fire up IE. *gnashes his teeth remembering IE 5*

Also, Opera didn’t get a lot of mainstream attention on the desktop because it used to be $39 shareware. IE may be terrible, but everything installed it, you couldn’t get rid of it, and this eventually included Windows 98. (And the IE 4 installer was responsible for corrupting more copies of Windows 95 than I care to remember.)

Opera changed revenue models a couple of times, it became adware for a couple of releases (Opera wrote the code themselves so they didn’t have to rely on spyware), and finally it became freeware for anyone that wanted to download it.

A lot of other things have changed in that time as well, including the fact that Opera now not only has the most thorough standards compliance, but it’s also compatible with most poorly written pages that were created with IE in mind.

Now that we have the history lesson out of the way, what’s going on in Opera 10?

On Windows, Opera 10 is an evolutionary upgrade over Opera 9.x for most desktop users, it’s faster, it’s more reliable, its rendering engine is vastly improved, and there’s even a few new features. In short it’s more, better, faster.

On Linux, users have much more to be excited about. Opera now not only has a native X86-64 version, but also, the Linux version seems to finally use xdg-open by default so that you can open your downloaded files and the folders you saved them to without tweaking the preferences.

Opera 10 on Linux can use either the 32-bit Flash plugin through it’s own internal plugin wrapper (called OperaWrapper) so you don’t have to dick around with a Flash plugin, and my VLC plugin for Firefox worked automatically as well, providing support for most multimedia formats. Also, Opera will now automatically see your IcedTea (open source Java) or Java installation. The Linux version is also now compiled with GCC 4 and QT 4, leading to an insanely large boost in overall application performance from 9.x.

If you browse on a slow connection, you will appreciate Opera Turbo, a feature which uses Opera’s caching servers to heavily compress web pages before being delivered to your system. I tried it on a few different connections and made some notes.

The rest:

Opera Turbo

On slow broadband (~1 Mbps) such as basic DSL service, Opera Turbo can cut the time you wait for a web page in half.

On a 56k modem (I had to use bandwidth capping on my router to simulate this), Opera Turbo cut the time to load the average page by over 2/3rds.

On my connection, (~6 Mbps cable) Opera Turbo actually slowed things down a bit even though it still estimated that it was speeding the connection up. This is likely due to the lag of their server fetching the page and sending it to me since I already have a fast connection.

One thing is clear, this feature is useful for modems, slower broadband, and wireless users (phones and netbooks with 3g cards), but avoid Opera Turbo if your connection is sufficiently fast. It also degrades images by compressing them further using aggressive JPEG compression, so you’ll want to disable Turbo (just click the button to turn it off) before you load any images to be saved to disk.

Bundled extras and Widgets:

Opera still includes the integrated email client which is superb, a serviceable IRC client (which may replace separate IRC clients like Xchat for casual users), a simple bittorrent client included in the download manager (Which I disable in favor of a client which supports bad IP address blocking), and support for Widgets, which extend the browser similarly to Firefox extensions.*

(*Firefox extensions are easier to write and can do more but are also dangerous because they can do anything they want to anything the logged in user has access to, or they can spy on you or do other nasty things, or they may just be poorly written and leak RAM or crash the browser. Opera Widgets can do less, but they are not a potential menace to system security or stability.)

Visual refresh:

Opera 10’s default theme has been reworked to be more aesthetically pleasing. Yes it is just eye candy, but nobody who works with a program for hours on end want the ugly interfaces or Firefox or Internet Explorer.

It still supports all themes that worked in Opera 9.x as well, I’m using IBIS inspire which is a more elegant tweak to the Chinese Opera theme, and I have disabled the menu bar in favor of a Menu button in my tab bar. This leaves me more than enough screen real estate. (About 20% more than Firefox does.) Screenshot here Default skin here

How do I block ads?

I use Fanboy’s ad blocking list and user CSS from here. Opera natively supports ad blocking, and you don’t need any silly extensions, you just tell it what to block, those lists do precisely that. Saves you the annoyance of ads, saves you bandwidth, saves you time spent looking at crappy pages packed full of advertising.

Opera Unite may not make the cut for Opera 10:

One thing that Opera Software is working on (that I’ve played around with in the weekly builds is called Opera Unite which, when finished, will allow even the least computer literate people to set up their own file sharing server and streaming music server running inside the browser, and secure it simply by adding a passkey that you can give to your friends. (Or use to remotely access the files you choose to share at a friends house or perhaps at work.

This feature is NOT in the Release Candidate, and the builds that do have it are marked Opera 10.1, so it will eventually be here and if you want it now then you have to use a desktop team weekly build.

Another favorite feature of mine is Opera Sync:

You can get it in File/Synchronize Opera. This was actually introduced in 9.5, but you can have your bookmarks and other data stored in your My Opera account so that if you use another computer, the two copies of Opera stay “in sync” with each other.

In closing (phew!):

There’s definitely a lot about Opera that should interest any Firefox or Internet Explorer user. While Opera 10 doesn’t have the sheer scripting speed that Chrome and Firefox do, it’s not pokey either. In fact, things like Document Object Model operations blow those both away, so the Javascript War is a bad thing because it encourages developers and users to only focus on one area of browser performance when in fact the speed of the engine as a whole may not be well rounded. (What good is fast script execution if the browser can’t parse CSS and HTML fast enough to keep up with itself?)

I will rate Opera, on my totally opinionated 5 point scale. 1 being the most hideous browser there ever was (Internet Explorer) and 5 being subjectively perfect, Opera gets a 4.8, there’s still a few quirks and things that aren’t as great as they could be (though the new stuff I’m interested in is in their pipeline). User interface is clean, download size is small, performance is great, rendering engine is excellent, and it has a complete suite of tools that Firefox and Internet Explorer lack. Their track record on security is nearly impeccable.

Will Opera 10.1 be *the* browser suite to beat? I’d say 10.0 is already giving the other guys a good run for their money.