Earlier this week I went to “Oxford Geek Night” and the title of one of title of one of the sessions was “The Zombie Cookie apocalypse” delivered by David Sheldon (I wish his slides were on-line so you could read more and I could give him a proper credit), it wasn’t the only informative session – there were bunch of those -  but it was one which sent me away thinking “I should have known that”.

Here’s the Gist. We all know about cookies, the little bits of information which web sites send to to your browser to make applications work, or to follow you round the web. Even IE6 knew that cookies could be bad and could reject the tracking ones. Adobe Flash keeps its own cookies, which bypass the normal rules.
Although it doesn’t seem to widely known (I was in a roomful of people where internet expertise was the top skill, and no one seemed to have heard of this before) – it is reasonably well documented – often using Adobe’s name of “Local stored objects. You can read more information in Wikipedia’s dispassionate style, or you can have it in they’ll suck out your brains style if you prefer (of course you do !)

This has 3 main impacts.

1. If you run different browsers – say IE and Firefox (the demo I saw used Firefox and Chrome on Linux) each browser maintains (and can clear) its own Cookie store, so you can have different personas by using different browsers: but Flash is Flash wherever it runs so it uses a single store.
2. Browsers don’t know about information held by add-ins (Flash or anything else) so it can’t clear their information. You might think you’ve killed off the cookies but flash ones will keep coming back (hence the Zombie reference).
3. IE8 has “In Private Browsing”, so do Firefox and Chrome (I think chrome talks about Incognito Windows) .Adobe announced support for private modes recently, (you can read the IE team’s take on the this) but if you are running a version before 10.1 – and as I type this the current download is 10.0.45.2, so you are running something before 10.1 -  it uses the same store for browsing in Private that it uses for ordinary Browsing, and doesn’t clear cookies afterwards.

I thought “the handful of sites where I use In-Private Browsing aren’t flash sites.”, the flash handling the cookie is not always visible. When I did a quick search I found something from the Electronic Privacy Information Center which quotes one tracking platform vendor as saying "All advertisers, websites and networks use cookies for targeted advertising, but cookies are under attack. According to current research they are being erased by 40% of users creating serious problems.". Indeed: as EPIC puts a little later “By deleting cookies, consumers are clearly rejecting attempts to track them. Using an obscure technology to subvert these wishes is a practice that should be stopped”

So: How do you see, clear and block/allow Flash Cookies ? That announcement from Adobe suggests that in 10.1 you will be able to this by right clicking on flash in the browser and going to settings. Until you get 10.1, you have to visit a page on Adobe’s site –which isn’t espcially easy to find. 

Clearing the information from my computer I made a note of some of the sites which were leaving information on my PC which I was certain I hadn’t visited and got a little PowerShell script to get the title from their home page. (Which worked for most sites, some take a little fiddling). Here are the names and descriptions.

You can see what business they are all in. I’ve added them to my list of sites blocked by InPrivate Filtering. Which reminds me, I must post part 2 of that.

OK cards on the table. I’m prejudiced. I don’t pretend to be anything else, and I try to open about my biases - flaunt them even. And Like most prejudiced people I can explain the logical roots that my prejudices spring from.

When it comes to browsers I think IE is pretty good .Actually let me qualify that: I thought IE 7  was when we got back to being pretty good and IE8 ups our game. Yes I know some organizations are stuck on the IE6 – I think being unable to move to current technology is a sign of badly run organization, so excuses for being stuck on 6 always sound lame to my ears. Usually it comes down to “We made a bad choice of something years ago and now we we can’t upgrade anything”. The investment to put this right which then makes people more productive, and reduces support costs etc is always a good one. When XP was still a current OS (early 2006) IE6 was looking old and tired and I tried Firefox and liked it. These days IE does what I want, so I haven’t felt the need to use the recent versions of Firefox, but to me it still embodies what is good in open source software development. I don’t hear its advocates talking open source ideology, and it strikes me that they want it to succeed on merit – the only way a competitor gets my respect. I can’t feel the same respect for Opera, since it was their complaint to the EU which nearly caused us to ship Windows 7 to Europe with no browser at all. Opera has a market share miles behind Firefox, (and well behind Chrome and Safari). If IE were to vanish it would seem a fair assumption that 3/4 of the total market would go to Firefox.  Prejudiced against Opera ? Guilty as charged m’lud.

So… It came a bit of disappointment to find that my new Windows Mobile device comes with Opera installed. Oh the irony: we can’t tell HTC and/or Orange what browser(s) should be on the device , even in our position as customer. On the first day I had the device, I hooked the device up to the corporate wireless (Windows Mobile Device Center handles getting the certificate that is needed) and configured the proxy for work networks. I pointed internet explorer at Www.getCoMo.com and downloaded Communicator Mobile which is working very nicely. Next I wanted to find some IP utilities to check what the network was doing. Sadly the beautiful photos on Bing’s home page are wasted on me - I don’t go to search pages (and my home page is set to blank) – I use the browser’s search box. Except Pocket IE doesn’t have one:  however there is a live search icon in the Programs folder but when I used that the result was an error in Opera. It seems Opera can’t connect through a proxy: it certainly doesn’t respect the global proxy setting which IE and Communicator used (it didn’t pick up my favourites either), and if there is somewhere to set, I can’t find it – it’s certainly not under settings. 

This produced an outburst which must have startled anyone who heard it. “Congenitally stupid” was one of the more repeatable phrases and I’ll draw a veil over the rest. Seriously. This phone is an evolved pocket PC, and I beta trialled the 802.1x drivers for the wireless LAN card which went in a jacket with my iPAQ 3600 series when Microsoft first started to use wireless LANs in 2001, and could use a proxy. It’s such a basic function I couldn’t believe it was missing.
IE at least will me set it as the default browser, so any attempt to jump to a URL at least goes there now. But, can I re-assign the short cut key on they keyboard to it ? That is beyond me. I can remove IE from a PC supplied with it (and presumably if the supplier replaces IE with something else , I can remove that,  and go to whatever I want) but there isn’t the same freedom of choice when you move away from the PC. [Unless there are hacks which the average phone user can’t find]

After being taken to task by some recent commenters I'm a bit hesitant about suggesting that I (or others) are vain, but I can't come up with a better tag for it. 

I find that quite often I want to find a post on my blog. Because I often write about things I've found on the web the link to them is in my blog rather than my favorites folder. There are other things like in house Wikis or sharepoint sites where we want to go back to our own stuff- hence vanity searching. I find this is a great use of the search box in IE7.

I've added "My Blog" to the search list, and I'd pass that on as a top tip. Add search for any site you post to a lot. The easy way to do this is to search for the word TEST and then copy the URL from the address bar - if you paste it on on the "Search Providers" web page the server there will generate the open search XML that IE needs. 

By the way in the screen shot on the right you'll see I've got Live Search as my default - I'm now finding it's quite rare that I have to drop back to Google. Once I've switched I'll keep on using Google until a search there doesn't work out. I've got a couple of other bits, Wikipedia (as you can see in the screen shot) is on my menu and while you're at the site it puts itself on the menu - that's what the yellow star is showing - the pull down menu also goes Orange when the site supports this - I really wish all Microsoft sites would - but like getting them changed to use silverlight, to write phone numbers as TEL: clickable links this seems a bit of a forlorn hope.

In a previous post I admitted a small heresy for a Microsoft person. I quite liked firefox; past tense because IE7 gives me all that I liked about Firefox, and more besides.

Last week I learnt of a survey by bit9 which details their top 15 most vulnerable applications. And top of the list is Firefox, version 1.07. Firefox have updates, patches, indeed a whole new version, but if anyone still believes the “lots of eyeballs implies few vulnerabilities” myth of Open Source, they should be able to see it is a fairy story. There is an equal and opposite myth which is that software is only secure if you keep the source secret. The fact that Microsoft have a “Shared source” programme – open source with a small O, gives the lie to this too. Only in Digital Rights Management do you need to keep the code secret.

Talking of digital right management number 2 in the list was Apples iTunes. 6.02 and quick time 7.03 (which, like firefox is patchable, or can be replaced with a new version). At 3 comes Skype 1.4 (patchable) , #4 is Adobe Acrobat Reader 7.02, and 6.03 (superseded and patchable), and #5 is Sun’s Java Runtime Environment (also patchable), #6 is Macromedia Flash Player 7 (patchable again), at #7 is Winzip 8.1 (upgradeable) , keeping Skype company, at #8 is AOL instant messenger 5.5, #9 is MSN messenger 5.0, and #10 is Yahoo instant messenger 6.0, and #15 is the ICQ chat client 2003a. AOL and MSN can be patched or upgraded, Yahoo and ICQ – according to Bit 9 - cannot. You can get the full list of vulnerable apps from bit9.

Inside Microsoft, we’ve talked about what this report means. First, it means Vulnerabilities aren’t confined to Microsoft. Any developer that points a finger at someone else for having a vulnerability is setting themselves up for a fall. We might allow ourselves a small laugh at the expense of those Firefox fans who claim it is totally watertight. But only a small laugh – because they set themselves up for the fall. Too much laughter and we’ll be setting ourselves up for one.

Secondly, 9 of the top 10 have patches and or upgrades. No-one should see any impact from these vulnerabilities. It’s easy to make sure Microsoft software is patched, but how good are people’s practices for the others ?

Internet Explorer 8 seems to be  guided by the same “many little improvements” philosophy that has driven Windows 7 – or put another way it’s not packed with radical new features , and in some cases I find it hard to be sure if something really wasn’t there before:  I think the “Privacy Policy” is new and it lets find out where pages are including something which violates my privacy or which produces a hyper-active advert (where these are scripts they go into IE’s distrusted sites list ! )

Here’s the kind of incremental improvement I’m talking about, look at the search box.

Image 1 on the left shows how things worked in IE 7, you needed to pull down the list on the right to select a different search provider.

Image 2 in the middle shows how things have changed with IE 8, the icons for the different providers show up under the search box, click the one you want to select and click off the search (3 clicks become one).

But what’s that on the right ? in image 3. Previously to search your history you needed to go to favorites tab, go to history, choose Search history, enter my search term and then click search. In 8, just type into the search box and the history gets searched as you type

One thing that is brand new in 7 is the idea of accelerators: when you highlight some text on the page you can take some actions with it. Highlight an address and you can go to a map, highlight a word and you can look it up in a dictionary. Use an a browser based tool for composing your blog entries (and I don’t) then jump to your blogging tool . The specification for the XMLfiles which describe accelerators is on MSDN. There were plenty of things I could have tried, but I decided to one one for Twitter… then found that David Sim has done that already, and here’s what the XML looks like

<?xml version="1.0" encoding="UTF-8" ?>
<os:openServiceDescription xmlns:os="http://www.microsoft.com/schemas/openservicedescription/1.0">
    <os:homepageUrl>http://www.twitter.com</os:homepageUrl>
    <os:display>
        <os:name>Send to Twitter</os:name>
        <os:icon>http://www.twitter.com/favicon.ico</os:icon>
        <os:description>Send text to Twitter</os:description>
    </os:display>
    <os:activity category="Send">
        <os:activityAction context="selection">
            <os:execute action="http://twitter.com/home?status={selection} {documentUrl}" />
       </os:activityAction>
    </os:activity>
</os:openServiceDescription>

So once this is installed if I run my mouse over some text I get this ….

All very fine and good … except why do I have to go to a submenu ? and Why is the top menu filled with stuff from Windows Live – some of which I’ll use but some I won’t ? The answer is it has to default to something, but you can change it by going to Manage Add-ons from IE’s tools menu and clicking accelerators (and there is a short cut on the “All Accelerators” Menu)

I’ve removed the Email with Live mail and Blog with live spaces (I don’t use them) and just to show the search isn’t fixed I changed the default search to “My blog”, which changes the “Search with” entry. Each accelerator has a category – this one is “Send”, and one item in each category can be flagged as “Default” to appear on the top menu, which is what I’ve done for the twitter entry. Now that’s more like the “few clicks for common tasks” ethos of 7.

Every now and then a news story comes up which reminds us that if people with bad intentions, even sensible people can fall into traps on-line. There was one such story last week where friends of the victim said she was “the sensible one” – if she wasn’t unusually gullible it could happen to anyone. I wrote about safer internet day recently and it’s worth making another call to readers who are tech savvy to explain to others who are less so just how careful we need to be trusting people on-line.  I got a well constructed phishing mail last week claiming to have come from Amazon I would have fallen for if it had been sent to my home rather than work account – it’s  as well to be reminded sometimes we’re not as smart as we like to think.

I’ve also been reading about a libel case. I avoid making legal commentary and won’t risk repeating a libel: the contested statement said that something had been advocated for which there was no evidence. I read a commentary which said something to the effect that in scientific disciplines, if your advocacy is not in dispute and someone says you have no evidence for it, you produce the evidence. Without evidence you have a belief, not a scientific fact.  This idea came up on later in the week when I was talking to someone about VMware:  you might have noticed there is a lack of virtualization Benchmarks out in the world, and the reason is in VMware’s licence agreement (under 3.3)

You may use the Software to conduct internal performance testing and benchmarking studies, the results of which you (and not unauthorized third parties) may publish or publicly disseminate; provided that VMware has reviewed and approved of the methodology, assumptions and other parameters of the study

Testing, when done scientifically, involves publishing ,methodology, assumptions and other parameters along with the test outcomes and the conclusions drawn That way others can review the work to see if is rigorous and reproducible. If someone else’s conclusions go against what you believe to be the case, you look to see if they are justified from the outcomes: then you move to the assumptions and parameters of the test and it’s methodology. You might even repeat the test to see if the outcomes are reproducible. If a test shows your product and yours is shown in a bad light then you might bring something else to the debate. “Sure the competing product is slightly better at that measure, but ours is better at this measure”. What is one to think of a company which uses legal terms to stop people conducting their own tests and putting the results in public domain for others to review ?

After that conversation I saw a link to an article IE 8 Leads in Malware Protection . NSS labs have come out with their third test of web browser protection against socially engineered malware*. The first one appeared in March of last year, and it looks set to be a regular twice yearly thing. The first one pointed out that there was a big improvement between IE7 and IE8 (IE6 has no protection at all  if you are still working for one of the organizations that has it, I’d question what you’re doing there).
IE 8 does much better than its rivals : the top 4 have all improved since the last run of of the tests. IE was up from 81 to 85% , Firefox from 27 to 29%, Safari from 21% to 29% and Chrome from 7% to  17%:

Being pessimistically inclined I look at the numbers the other way round : in the previous test we were letting 19 out of every 100 through, now it’s 15 – down by 21%: in the first test we were letting 31 of every 100 through so 52% of what got through a year ago gets blocked today. Letting that many through means we can’t sit back and say the battle is won, but IE8 is the only Browser which is winning against the criminals:  Google,for example, have improved Chrome since last time,so it only lets through 83 out of every 100 malware URLs -  that’s blocking 11% of the 93 it let through before from each 100. With every other browser the crooks are winning, which is nothing to gloat over - I hope to see a day when we’re all scoring well into the 90s.

I haven’t mentioned Opera – which has been have been consistently last, and by some margin, slipping from 5% in the first test to 1% in the second to less than 1 in the most recent. In a spirit of full scientific disclosure I’ll say I think the famous description of Real Networks fits Opera. Unable to succeed against Safari or Chrome , and blown into the weeds by Firefox,  Opera said its emaciated market-share was because IE was supplied by default with Windows. Instead of producing a browser people might want, Opera followed the path trodden by Real Networks – complaining to the European Commissioner for the protection of lame ducks competition. The result was the browser election screen.

I’m not a fan of browser election screen – not least because it is easily mistaken for Malware. To see the fault let me ask you, as reader of an IT blog, which of the following would you choose ? 

1. The powerful and easy-to-use Web browser. Try the only browser with Browser-A Turbo technology, and speed up your Internet connection.
2. Browser-B . A fast new browser. Made for everyone
3. Browser-C is the world’s most widely used browser, designed by Company-C with you in mind.
4. Browser-D from Company-D, the world’s most innovative browser.
5. Your online security is Browser E's top priority. Browser-E is free, and made to help you get the most out of the web.

You might say (for example) “I want Firefox”, but which is Firefox in that list ? You are probably more IT savvy than the people the election screen is aimed at and if you can’t choose from that information, how are they supposed to ? You see, if you have done your testing and know a particular browser will meet your needs best, you’d go to it by name you don’t need the screen. People who don’t know the pros and cons of the options before seeing the screen might just as well pick at random - which favours whoever has least market share – which would be Opera.

The IE 8 Leads in Malware Protection  article linked to a post of Opera’s complaining that the results of the first test were fixed “Microsoft sponsored the report, so it must be fixed!” If we’d got NSS labs to fix the results a year ago would we stipulate that Opera should be so far behind everyone else? Did we have a strategy to show Opera going from “dire failure” to “not even trying”? Or that IE8 should start at a satisfactory score and improve over several surveys with the others static  ? But to return to my original point: the only evidence which I’m aware of shows every other browser lets at least 4 times as much Malware through as IE. The only response to anyone who disputes it is let’s see your evidence to counter what NSS labs found.Google have spent a fortune advertising Chrome: if Chrome really did let fewer than 5 out of 6 malware sites through they’d get someone else to do a [reviewable] study which showed that.

And since we’re back at the question of evidence, if you want are asked for advice on the election screen and you want to advocate the one which will help people to stay safe from Phising attacks – I don’t think you have any evidence to recommend anything other than IE.  But remember it’s not a problem which can be solved by technology alone. Always question the motives of something which wants to change the configuration of your computer.

Over the next few weeks I’m going to be talking about IE8  (and depending on what gets announced at Mix maybe IE9 as well). Whilst I don’t have the data to prove it I’m convinced a lot of people running Firefox are doing so as a way of getting a modern browser when their company still has something from the last century tying them to IE6.  I suspect a lot of those people have seen demos which prove IE7 is much better than 6 and that IE8 is better, but the demos are always simplified, and you see pages with a single issue conveniently fixed using a click of a button. But it is definitely not that easy. You could have thousands of apps, many of them packaged, or you could be prevented from accessing the code because it is part of a product you bought.  

Why is that last bit in italics ? It’s part of the session abstract for a webcasts which is being run different times of day, over the next few weeks.

The presenter is Chris Jackson, Principal Consultant and the Technical Lead of the Windows Application Experience SWAT Team, Microsoft Corporation (a widely recognized expert in the field of Windows Application Compatibility) . Although I haven’t had a chance to watch it myself, I’ve seen the scores for the first run which said the audience rated it very highly. So if you still have IE6 in place and want to do something about it, this seems like a good place to start. 

A few days back I wrote about acceleators in IE 8 and talked about how search box had been streamlined as well. I knew we’d re-worked how tabs worked but my first reaction was “yeah … but so what”.
I’m a big fan of tabs: IE 7 changed my experience of the internet. I guess other tabbed browsers did the same for other people – but tabbed browsing is such a huge jump forward I just can’t remember how I managed without it. IE gets opened up within a few minutes of my machine booting, and quickly gets to twenty open tabs. The beta of IE8 in Windows 7 beta isn’t perfectly stable, but I’m running it for days on end and saved a block a 57 tabs when I had to shut down . Following links from twitter means I’m getting more tabs open especially since I still make use of IE7 pro , which has a feature named “super drag/drop” -  if you drag a link and drop it on the same page it opens in a new tab. In practice this means a flick or a “smudge” of the mouse opens in a new tab. IE7 pro also trap pages trying to open in a separate window and open them in a new tab instead.

I’ve taken to colour coded tab groups in 8 in a big way: it sounds so trivial that I sat here and wondered if I dared call it out, but I will:

Open a page as new tab and it forms a tab group with the original page. You can see on the left the tabs are green, they’re the things I’ve jumped to from Twitter, then there are a couple which aren’t grouped, followed by a couple in a fetching shade of peach which were on Geo-coding, then some purple ones which where the results of a couple of searches, next come some green ones on Aviation accidents and finally some in blue from MSDN for something I’ve been working on in PowerShell. It’s just easier to get around; when you have dozens of tabs open you can lose track of where you are.

IE 7 pro remembers recently closed pages and lets you re-open them – with a short cut for the most recently closed one.. The problem is it just remembers the last URL: the tab doesn’t open in a group (you can drag it into one) and if you want to go back through the history on the tab, no joy. In IE8 if you click on the tab strip you get the option to reopen the last closed tab in the right place with its history.  The menu can also close a whole group in one go – done with the MSDN group? Right-click, click, 4 tabs gone!  There are some bits missing: there’s no option to refresh or save a tab group and grouping tabs which aren’t yet in a group is a bit long winded. Something for the IE 7 pro folks to add for IE 8 pro

IE 8 just locked up on me. This in and of itself is a Bad Thing. I’ve got into the habit of having lots of tabs open in IE  - I checked it’s currently 70 (why … ? because I can, it’s a pile off stuff I’m thinking about, going back to or what ever). IE 8 will recover from being killed off in task manager. But 70 pages to re-open ? I’d rather not. Then this box popped up 

Ooh. Now that’s rather clever. I’ve popped the offending site into compatibility mode and it’s behaving. Chalk another one up for IE

I was chatting with a couple of colleagues yesterday about internet explorer. Someone grumbled “When people think of browser add-ons they automatically think of firefox, but there are some really good ones for IE”. I have talked in the past about IE7 pro (which despite the name works with IE8).  I use it for four things – first it has a flash blocker. This gets round my issue of not being able to use a page when there is some animation going on, without needing to turn the flash add-on off  [yes, flash is an IE add-on, so is Silverlight.] Secondly it will block content being pulled in from selected external sites. This helps defeat flash but also stops those firms which want to track my visits to sites. Finally for things which get through the first two it has the ability to cut out some of the really annoying bit of a page – those which would circumvent the flash blocker. Although this is mostly targeted at adverts I used it to make the Independent newspaper’s web site usable.  The last trick it has contributes to my habit of having dozens of tabs open – click/drag opens a link in a new tab – it has other mouse gestures but that’s the only one I use. [Some people like the download manager  , but I’m not one of them]

I added an accelerator for twitter but after that I’m not really using any add-ons. In yesterdays conversation my other colleague said – roughly “I have no plug-ins at all and I don’t think many people use them, a lot a buggy and they all slow the browser down to different degrees”. So … if you have added anything to IE7 or 8 that you really wouldn’t be without  (or for that matter if you use firefox because of an add-on) , please post a comment.

I write my blog posts using Windows live writer and I’ve talked before before about one which adds tweetmeme support to each post. This morning I’ve been trying to help someone get the onefor Bit.ly – I had to add &history=1 onto the end of the password to get it to log my links to a history on bit.ly – which is much more useful as I can see which links people are following. It won’t work for him. I guess the same criticisms can be made for Live writer plug-ins as IE ones, but the same question interests me – if you blog with live writer and have a favourite plug in, please post a comment.

Finally, I was talking James Brundage – the guy behind the PowerShellPack which is in the Windows 7 resource kit and also available for download, part of that is an add-in for the PowerShell interactive scripting environment. It adds a menu and a set of short-cut keys – among other things to copy the text with syntax colouring. If you ever need the code to “un-bitly-fy” a URL here it is , in colour. Of course it works for more than bit-ly – it gives back the canonical URL for anything which is redirected from another URL.

            
Function Get-trueURL {            
    Param ([parameter(ValueFromPipeLine= $true, mandatory=$true)]$URL )            
    $req = [System.Net.WebRequest]::Create($url)             
    $req.AllowAutoRedirect=$false            
    $req.Method="GET"            
    $resp=$req.GetResponse()            
    If ($resp.StatusCode -eq 301 ) {$resp.GetResponseHeader("Location")}            
    else                           {$resp.responseURI}            
}