The number of sites which absolutely require javascript is decreasing. Nowadays it is much easier to argue for a scriptless fallback to every bit of javascript functionality with clients and pointy-haired bosses, due in part to the rise of NoScript. Which in turn makes it more likely people will use NoScript, confident that sites they're using will still actually work.
Half a million downloads per week is not to be sniffed at (although that probably only translates to about half a million active users, as it is very frequently updated).
Also, I haven't studied this particular attack, but it would be unusual if the script is hosted on the same domain as the site, as that would require two separate modifications to the site's code. In which case the most common NoScript habit of only allowing scripts from the same domain would prevent it from running, assuming the site is in the user's whitelist or actually requires scripts to be enabled. IMO NoScript is "good enough" protection against script-borne attacks. Shame it requires a certain level of knowledge to use effectively.
I freaked out when I first read your idea, but after I calmed down a bit I realised what a good one it really is. There *is* a browser equivalent of WordPad. Let Windows' only built-in browser be Lynx.
Microsoft are specifically not allowed to leverage their OS monopoly to disadvantage competitors in other areas, in either the EU or US, and probably elsewhere in the world too. The same rules don't apply to non-monopoly players.
I am in complete agreement with the proposal to bundle Firefox with Windows 7, as the second most popular browser, and perhaps Opera, Chrome and Safari too. There aren't actually that many. Maybe the first time a user clicks the Internet icon they could be asked which browser they want to make the default, much as MS have already had to provide a way in IE for users to select their default search provider.
According to the article, "Only about nine per cent of the time the user waits for the page to load is spent getting that html document". Yes, some of the rest of the time is spent requesting external assets like CSS and javascript, but those are likely cached after the first page - the rest is processing time; nothing to do with how fast the user's connection is.
... won't help. If I understand how Phorm works, it intercepts packets between the user and the website, so leaving no trace on the site's server logs.
Someone, somewhere clearly wants all internet traffic to be encrypted in the near future.
... do I finally discern the long-trumpeted anti-Microsoft bias for which this publication is supposed to be known (it always seems more anti-Apple to me)?
Passing ACID 3 was never a stated goal of IE8; the very laudable goal was to make IE fully compliant with CSS 2.1. This will definitely make developers' lives easier, while ACID 3 is quite esoteric. I'm pretty sure I read all this here, so shame on you for going the easy I-strangle-your-newborn route.
Of course, Microsoft are still playing catch up with the other browsers after IE's six dead years, but I feel that praise is due for picking the right first step towards proper standards compliance.
If you really want to beat up the new version, why not pick Microsoft's utter silence on the subject of SVG support? Doubtless SIlverlight is to blame, but lack of SVG is now IE's main impediment to web innovation.
... where to begin pointing out errors in this article. I will focus on the main one: that IE8 does *not* require a special tag adding to sites to render in standards mode. That idea was kicked into touch a long time ago.
It's developers who can't be bothered to fix their sites to render properly in IE8 standards mode who need to add a special tag.
Devs who already code for Firefox (and who can afford not to nowadays?) should be ok, provided they don't use browser detection to feed hacks to all versions of IE. At least, until the inevitable bugs in the release version of IE8 begin to surface...
Agree with what other people have said about MP3 (except I use 192kbps VBR not, uh, 200) - sound quality is fine, even on expensive headphones, and it's compatible everywhere.
I can listen to my own MP3s on my Vodafone Samsung Omnia without a problem. Don't know what other formats the built in player supports - being a Win phone there's probably a player out there for AAC (sadly, OGG is dead) - but why take the chance?
"you cannot really use the G-phone unless you're a Google faithfull"
Do what? I'd love to have a G1, but t-mobile coverage is crap here in Brighton, and I'm not one of the "Google faithful" (just one 'l') - unless you're referring to those obscure cultists who like Google's search engine - I must put my hand up to that. The G1 appeals to me as a programmer because it's an open platform.
Ah. Maybe you were parodying Apple's control freakery. In which case I consider myself well and truly whooshed.
... you can use the FF3 Address Bar the same way as you always did, by typing in the first part of the address you want to go to until enough has been typed to narrow it down so that the URL you want is showing in the dropdown, then pick it from the list. As you're typing, other URLs may be shown in the list but they're likely to be related to the one you're typing. Even if they're not, plough on and your result will soon appear. What's the problem?
In addition, the address bar will help you find addresses where the part of the URL you can remember is not at the beginning, or where you can only remember part of the page title, but you don't have to worry your little heads about this.
You people probably don't like predictive texting either, do you? What a reason to abandon a browser: "They added extra functionality! Waaaah!"
Laudable though the Judge's remarks are regarding the technicalities of the search, there seems also to be reasonable doubt whether the computer's owner was the one who put the files there.
Obviously there are going to be many cases like this in the coming years; it's reassuring to see this one get off on such a good foot, technologically.
One has to wonder how this software works that can hash files by inspecting individual sectors on a disk, when a file - especially a large one - is almost certain to be physically spread around.
I find it amazing how hard people are prepared to look to find something to grumble about. Firefox 3 is so obviously an improvement on its predecessor, and as many have already pointed out, was in test for a good long time before its launch. As all but one of the dozen or so extensions I use regularly had already been updated, I made the switch several months ago.
But you have to complain about some obscure add-ons that weren't updated during this barn door of opportunity while conveniently forgetting the aeons which passed after FF2's launch before key extensions like TabMixPlus got updated.
I'm not sure what these extensions were that caused people trouble, but developers of complex extensions such as Firebug seem to have taken the API changes in their stride. The one that I gave up waiting for was a certain toolbar, developed by a certain sponsor of and contributor to Firefox: yep, Google. Dunno if they've got their act together yet, but Googlebar Lite does what I need and works fine on FF3.
The Squeezebox used to support streaming from Pandora; glad I didn't get one because of course Pandora is no more in the UK. But I wonder whether it will play last.fm streams. (Apologies if this is answered in the article, but... four flaming pages?)
I was reluctant to make a permanent switch to FF3 (actually from Flock), despite its speediness, mainly because of the lack of Google Toolbar, but then I discovered that Googlebar Lite (http://www.borngeek.com/firefox/googlebarlite/) has already been upgraded for FF3 and has every feature of the real thing I ever use (site search, I'm Feeling Lucky, the little buttons to find your search terms on et page,...)
to all the "idiots who don't seem to understand what's going on", the article is not very clear. I have followed these developments closely, but was still slightly foxed, thinking for a second "are MS going to insist on a tag to identify properly-coded sites after all"? But no, they are doing the right thing, giving developers who only care about IE an opt-out of IE8's standards support.
Actually, we already have the DOCTYPE switch. It was included in IE6 for precisely this reason - to allow cobweb sites to render using the IE5 tag soup engine, and this works well. The question is, why are they now penalising those developers who've already gone to the trouble of developing their sites to standards? The big change has already happened: IE6 to IE7. We have already felt the pain of that, and in fact it wasn't anywhere near as bad as Chris Wilson makes out. IE7 is 99% compliant with Firefox, which most developers use as their standards benchmark. It is fairly safe to assume that a site that has a proper DOCTYPE has been coded to work properly in Firefox, so all they have to do to make IE8 work with these sites is to plug the parsing holes which have been used to feed IE7 different CSS in the odd place where it needs help.
This smells of a directive from on high, maybe from Gates himself: "Don't break the web, like we did with the transition to IE7" Well, maybe you broke some IE-only intranets, but you didn't break the web because developers already have to support standards, thanks to the rise of Firefox. The only breakage was where you got standards support wrong. If IE8 really does fully support standards, you have nothing to worry about.
Good on Dean Edwards for standing up against this insanity.
Presumably your company believes that by sticking with the market leaders - Microsoft and Symantec - they can come to no harm. But an infection a month is a very high rate - they should understand that someday it won't just be one person's workstation "acting weird" but their entire network. And that their 'stick with IE' policy will be to blame. It's your duty, AC, as perhaps the only person in your organization who actually knows about this stuff, to insist on a change of policy.
While it is refreshing to see antivirus vendors under attack for poor detection, rather than, as is traditional, end users for allowing their machines to get infected - a car analogy usually helps with this - I can't help feeling that an anti-IE paragraph is required in this article.
People have been told again and again how unsafe IE is. If they continue to use it, they must take part of the responsibility when one of its myriad vulnerabilities trips them up.
Since no-once answered the question I asked when the vulnerability was first reported, I'll answer it myself: According to the guy who discovered it, Foxit reader *is* also vulnerable to the PDF exploit. (http://www.gnucitizen.org/blog/0day-pdf-pwns-windows)
I gave up using Adobe's slow and bloated reader a long time ago. I use Foxit Reader which is free and fires up in seconds. Does anyone know if this or other alternatives are affected by this exploit?
I'm tempted to add something to the effect of Reg readers not being stupid enough to open unsolicited attachments, but nobody's perfect, and the scammers are getting cleverer (naming the attachments things like "INVOICE.pdf").
It may be illegal to use software without an appropriate license, but is it really illegal just to pass around the bits? AIUI that just isn't the way software licensing works.
Adobe make most of their software available as trialware. Cracks exist that can turn these trial versions into non-expiring full versions. Obviously using one of these cracked versions is counter to Adobe's license, but Adobe (or a magazine which carries the trial on its cover CD) isn't liable for distributing "illegal software".
I suspect Davenport don't have a legal leg to stand on.
Register
38 posts • joined Wednesday 4th April 2007 11:17 GMT
NoScript is changing web development
The number of sites which absolutely require javascript is decreasing. Nowadays it is much easier to argue for a scriptless fallback to every bit of javascript functionality with clients and pointy-haired bosses, due in part to the rise of NoScript. Which in turn makes it more likely people will use NoScript, confident that sites they're using will still actually work.
Half a million downloads per week is not to be sniffed at (although that probably only translates to about half a million active users, as it is very frequently updated).
Also, I haven't studied this particular attack, but it would be unusual if the script is hosted on the same domain as the site, as that would require two separate modifications to the site's code. In which case the most common NoScript habit of only allowing scripts from the same domain would prevent it from running, assuming the site is in the user's whitelist or actually requires scripts to be enabled. IMO NoScript is "good enough" protection against script-borne attacks. Shame it requires a certain level of knowledge to use effectively.
@Rob Elliott
I freaked out when I first read your idea, but after I calmed down a bit I realised what a good one it really is. There *is* a browser equivalent of WordPad. Let Windows' only built-in browser be Lynx.
Isn't it amazing
... how many thick people read The Register!
Microsoft are specifically not allowed to leverage their OS monopoly to disadvantage competitors in other areas, in either the EU or US, and probably elsewhere in the world too. The same rules don't apply to non-monopoly players.
I am in complete agreement with the proposal to bundle Firefox with Windows 7, as the second most popular browser, and perhaps Opera, Chrome and Safari too. There aren't actually that many. Maybe the first time a user clicks the Internet icon they could be asked which browser they want to make the default, much as MS have already had to provide a way in IE for users to select their default search provider.
Feature?
Can the lack of something be considered a feature?
@ratfox, you don't get it
According to the article, "Only about nine per cent of the time the user waits for the page to load is spent getting that html document". Yes, some of the rest of the time is spent requesting external assets like CSS and javascript, but those are likely cached after the first page - the rest is processing time; nothing to do with how fast the user's connection is.
"watch your logs"
... won't help. If I understand how Phorm works, it intercepts packets between the user and the website, so leaving no trace on the site's server logs.
Someone, somewhere clearly wants all internet traffic to be encrypted in the near future.
Is it just me, or
... do I finally discern the long-trumpeted anti-Microsoft bias for which this publication is supposed to be known (it always seems more anti-Apple to me)?
Passing ACID 3 was never a stated goal of IE8; the very laudable goal was to make IE fully compliant with CSS 2.1. This will definitely make developers' lives easier, while ACID 3 is quite esoteric. I'm pretty sure I read all this here, so shame on you for going the easy I-strangle-your-newborn route.
Of course, Microsoft are still playing catch up with the other browsers after IE's six dead years, but I feel that praise is due for picking the right first step towards proper standards compliance.
If you really want to beat up the new version, why not pick Microsoft's utter silence on the subject of SVG support? Doubtless SIlverlight is to blame, but lack of SVG is now IE's main impediment to web innovation.
It's hard to know
... where to begin pointing out errors in this article. I will focus on the main one: that IE8 does *not* require a special tag adding to sites to render in standards mode. That idea was kicked into touch a long time ago.
It's developers who can't be bothered to fix their sites to render properly in IE8 standards mode who need to add a special tag.
Devs who already code for Firefox (and who can afford not to nowadays?) should be ok, provided they don't use browser detection to feed hacks to all versions of IE. At least, until the inevitable bugs in the release version of IE8 begin to surface...
MP3 is still good enough
Agree with what other people have said about MP3 (except I use 192kbps VBR not, uh, 200) - sound quality is fine, even on expensive headphones, and it's compatible everywhere.
I can listen to my own MP3s on my Vodafone Samsung Omnia without a problem. Don't know what other formats the built in player supports - being a Win phone there's probably a player out there for AAC (sadly, OGG is dead) - but why take the chance?
@gjw
"you cannot really use the G-phone unless you're a Google faithfull"
Do what? I'd love to have a G1, but t-mobile coverage is crap here in Brighton, and I'm not one of the "Google faithful" (just one 'l') - unless you're referring to those obscure cultists who like Google's search engine - I must put my hand up to that. The G1 appeals to me as a programmer because it's an open platform.
Ah. Maybe you were parodying Apple's control freakery. In which case I consider myself well and truly whooshed.
Hilarious
Our platform is crap - that's why you should use it.
Dynamic holographic display, or magic?
I thought I was still tuned to The Onion for a while, there.
Are you people quite mad?
... you can use the FF3 Address Bar the same way as you always did, by typing in the first part of the address you want to go to until enough has been typed to narrow it down so that the URL you want is showing in the dropdown, then pick it from the list. As you're typing, other URLs may be shown in the list but they're likely to be related to the one you're typing. Even if they're not, plough on and your result will soon appear. What's the problem?
In addition, the address bar will help you find addresses where the part of the URL you can remember is not at the beginning, or where you can only remember part of the page title, but you don't have to worry your little heads about this.
You people probably don't like predictive texting either, do you? What a reason to abandon a browser: "They added extra functionality! Waaaah!"
Jacqui is right
Laudable though the Judge's remarks are regarding the technicalities of the search, there seems also to be reasonable doubt whether the computer's owner was the one who put the files there.
Obviously there are going to be many cases like this in the coming years; it's reassuring to see this one get off on such a good foot, technologically.
One has to wonder how this software works that can hash files by inspecting individual sectors on a disk, when a file - especially a large one - is almost certain to be physically spread around.
The end of cold calls?
Actually, I'm in favour: no more cold calls, because everyone will be unwilling to pick up a call from an unknown person.
@Skinny
Are you saying that midwives' handwriting isn't ineligible for illegibility?
@Nottingham AC
"Do what the rest of us do; Spray on Mud, Broken Plate, Clone, Or the Very Expensive and night only! IR ReactoLight LCD Cover."
Anything , ANYTHING but actually drive at or below the limit.
Bollocks!
I find it amazing how hard people are prepared to look to find something to grumble about. Firefox 3 is so obviously an improvement on its predecessor, and as many have already pointed out, was in test for a good long time before its launch. As all but one of the dozen or so extensions I use regularly had already been updated, I made the switch several months ago.
But you have to complain about some obscure add-ons that weren't updated during this barn door of opportunity while conveniently forgetting the aeons which passed after FF2's launch before key extensions like TabMixPlus got updated.
I'm not sure what these extensions were that caused people trouble, but developers of complex extensions such as Firebug seem to have taken the API changes in their stride. The one that I gave up waiting for was a certain toolbar, developed by a certain sponsor of and contributor to Firefox: yep, Google. Dunno if they've got their act together yet, but Googlebar Lite does what I need and works fine on FF3.
last.fm support?
The Squeezebox used to support streaming from Pandora; glad I didn't get one because of course Pandora is no more in the UK. But I wonder whether it will play last.fm streams. (Apologies if this is answered in the article, but... four flaming pages?)
Google Toolbar
I was reluctant to make a permanent switch to FF3 (actually from Flock), despite its speediness, mainly because of the lack of Google Toolbar, but then I discovered that Googlebar Lite (http://www.borngeek.com/firefox/googlebarlite/) has already been upgraded for FF3 and has every feature of the real thing I ever use (site search, I'm Feeling Lucky, the little buttons to find your search terms on et page,...)
to Be Fair...
to all the "idiots who don't seem to understand what's going on", the article is not very clear. I have followed these developments closely, but was still slightly foxed, thinking for a second "are MS going to insist on a tag to identify properly-coded sites after all"? But no, they are doing the right thing, giving developers who only care about IE an opt-out of IE8's standards support.
Well, argued, Robert Long & AC!
It does seem foolish to say that XML and XHTML are garbage, but neither of you has made any case whatsoever for your opinions.
As for HTML 5 vs XHTML 2 - why do they appear to be diverging? Would it really be so hard to have a single standard for web pages?
@Fenwar
Actually, we already have the DOCTYPE switch. It was included in IE6 for precisely this reason - to allow cobweb sites to render using the IE5 tag soup engine, and this works well. The question is, why are they now penalising those developers who've already gone to the trouble of developing their sites to standards? The big change has already happened: IE6 to IE7. We have already felt the pain of that, and in fact it wasn't anywhere near as bad as Chris Wilson makes out. IE7 is 99% compliant with Firefox, which most developers use as their standards benchmark. It is fairly safe to assume that a site that has a proper DOCTYPE has been coded to work properly in Firefox, so all they have to do to make IE8 work with these sites is to plug the parsing holes which have been used to feed IE7 different CSS in the odd place where it needs help.
This smells of a directive from on high, maybe from Gates himself: "Don't break the web, like we did with the transition to IE7" Well, maybe you broke some IE-only intranets, but you didn't break the web because developers already have to support standards, thanks to the rise of Firefox. The only breakage was where you got standards support wrong. If IE8 really does fully support standards, you have nothing to worry about.
Good on Dean Edwards for standing up against this insanity.
@I see it often
Presumably your company believes that by sticking with the market leaders - Microsoft and Symantec - they can come to no harm. But an infection a month is a very high rate - they should understand that someday it won't just be one person's workstation "acting weird" but their entire network. And that their 'stick with IE' policy will be to blame. It's your duty, AC, as perhaps the only person in your organization who actually knows about this stuff, to insist on a change of policy.
Sigh
While it is refreshing to see antivirus vendors under attack for poor detection, rather than, as is traditional, end users for allowing their machines to get infected - a car analogy usually helps with this - I can't help feeling that an anti-IE paragraph is required in this article.
People have been told again and again how unsafe IE is. If they continue to use it, they must take part of the responsibility when one of its myriad vulnerabilities trips them up.
Foxit also vulnerable
Since no-once answered the question I asked when the vulnerability was first reported, I'll answer it myself: According to the guy who discovered it, Foxit reader *is* also vulnerable to the PDF exploit. (http://www.gnucitizen.org/blog/0day-pdf-pwns-windows)
@AJ Stiles
Great idea. I can see the media furore now... the scourge of Closed Source software.
@AC
I agree totally. Some of them can't even spell 'intolerant'.
What about other PDF readers?
I gave up using Adobe's slow and bloated reader a long time ago. I use Foxit Reader which is free and fires up in seconds. Does anyone know if this or other alternatives are affected by this exploit?
I'm tempted to add something to the effect of Reg readers not being stupid enough to open unsolicited attachments, but nobody's perfect, and the scammers are getting cleverer (naming the attachments things like "INVOICE.pdf").
Good News For Planet Earth!
... computer sales are down. Can mobile phones be next, please?
Does this mean...
that we can soon go back to embedding flash into HTML like in the bad ol' days pre-2005?
Is it possble...
...that Amazon simply made a mistake?
The title got me wondering...
how BT Wholesale had previously managed with a pixellated SEO?
"8,000 WPC delegates"
Surely the conference doesn't need that large a police presence - and why all female?
Interesting Strategy...
Expect the Pirate Bay's stats to take a jump
Erm
While I admire the robust pro-TPB sentiments here, I have to say it would bother me quite a bit if they actually did turn out to be backed by Daleks.
Is Copying Software Actually Illegal?
It may be illegal to use software without an appropriate license, but is it really illegal just to pass around the bits? AIUI that just isn't the way software licensing works.
Adobe make most of their software available as trialware. Cracks exist that can turn these trial versions into non-expiring full versions. Obviously using one of these cracked versions is counter to Adobe's license, but Adobe (or a magazine which carries the trial on its cover CD) isn't liable for distributing "illegal software".
I suspect Davenport don't have a legal leg to stand on.
Thanks for not calling it 'Kiddie Porn'
I admire your writer for calling it what it is: images of child sexual abuse.
Three days too late
Is this some kind of timeshifting protest againat April Fools' Day?