Posted 1 year, 3 months ago at 5:49 pm. 2 comments
Typealyzer says my blog reflects the mechanic in me:
The independent and problem-solving type. They are especially attuned to the demands of the moment are masters of responding to challenges that arise spontaneously. They generally prefer to think things out for themselves and often avoid inter-personal conflicts.
The Mechanics enjoy working together with other independent and highly skilled people and often like seek fun and action both in their work and personal life. They enjoy adventure and risk such as in driving race cars or working as policemen and firefighters.
Pretty accurate :)
Posted 1 year, 5 months ago at 4:43 pm. 2 comments
Yesterday one of my work collegues Illan mailed out his opinions on Google’s new Chrome browser and it sparked a bit of discussion. I have snipped some of the more interesting discussion below:
Illan: [...snip...] Link to google comic strip [...snip...] I found it interesting because just by looking at Google Chrome the underlying differences are not always evident. Although its adoption will be based on UI innovations (and there are some nice ones), these are not the main advances – mostly its in the security and stability, as well as being designed for richer applications. Which makes me think it could perhaps become a good choice for corporate internal web applications[..snip..]
It was an early morning for me and I hadn’t entirely woken up so I was probably a bit cranky still, but I responded with the following (reply all, cc’d to the company of course):
Tom: Propaganda!
Security and stability were certainly not part of their release prerequisites and clearly a backburner issue for google, a number of vulnerabilities were discovered within the first week of launch – most of them related to google’s evil concoction of old and unpatched open-source components. Can you believe they didn’t bother to upgrade their components, but released with old garbage.
We can’t dismiss chrome completely however, it is just a beta version and google “probably” is interested in protecting their users and will patch – just don’t expect to get a hardened browser out the box, or within the first 2 years at least. Firefox (with security extensions installed such as NoScript and Ad-Block Plus) is the only trusted browser in terms of security scrutiny, and they have the battle scars to prove it. It baffles me why google decided to reinvent – and it makes me nervous. They already track a massive percentage of users through their 2037 expiring cookies, gmail and google-analytics (to name a few) – but every security professional knows to really “own” (or pwn) the internet you need to be the man-in-the-browser.
Ok now I’m ranting – but I wouldn’t touch chrome with a 10 foot pole.
I have to admit that I hadn’t really bothered to look at Chrome except for the list of published vulns that had been released. I hadn’t even read the stupid comic, so was probably a bit unprepared to make that statement.
Illan’s response was taking up the google-is-cool-cause-it-appeals-to-geeks view, and I appreciate he didn’t burn me down to the ground (I think he thinks I know more about security and ethics than I really do so handled me lightly):
Illan: Erk, I had better not get into a security debate with you – but I have to answer one point:
“It baffles me why google decided to reinvent –“…
It baffled me too, and of course one could take the hackneyed view and assume they are trying to take over the world. But that would be evil.
Obviously to enter into this fray you’d need to be super duper quantum advanced, and Chrome clearly isn’t that. That’s why I thought the propaganda (of course it is that) I forwarded was interesting – it explains why they bothered. The changes are under the hood, geeky type things that are never going to get it accepted by the general populace. And yes, they certainly stuffed up using old bits of code and will have as much (actually more because they borrow from two different browser families) of time as anyone keeping their browser up to date from the point of view of exploits and flaws.
But did you read the thing [he means the comic strip -tom]? Don’t you think separate processes, with more sandboxing, is cool?. A compiled Javascript and being built from scratch to work as an application container? And you can’t argue with their testing capabilities – of course there are bugs, but If anyone is positioned to find and fix them quickly its them (of course if we don’t see them doing this then its game over since they have touted their own ability to do so). As for the user interface I do enjoy the minimalism and the googlesearchism but its not the main point. And it does seem fast.
As for secret agendas, its open source. But I do agree that they have a hell of hill to climb with Mozilla. But perhaps its not so much that they are trying to compete as they are trying to get the others out there to improve – because they want everyone to have browsers that can run the kind of apps they want to write.
So to paraphrase:
1. Google is not evil
2. They screwed up, but they will fix all the problems
3. Technically Chrome is nicely architected and it’s fast
4. Chrome is not evil because it’s open source and their intension is to play nicely with the competing browsers in the market (more competition will up the level of all browsers)
So there was some back and forth about the process-per-tab nonsense plus the amazing performance experiences, thanks to Dom for giving me some ammo from his Chrome war with Yusuf (see comments):
Tom: In terms of the separate tab-per-process idea – yes it’s great, and it does minimize the risk of browser bugs to some extent – but doesn’t get us anywhere nearer to solving the real big internet security issues of XSS, CSRF, and SQL injection. Some would argue that these can’t be solved by the browser, but even the granular way that chrome handles cookies shows the browser has a long way to come to start tackling these security problems.
The process separation means that attackers won’t be targeting the tab process because it doesn’t provide much, but will rather go after the parent layer. The browser crash discussed at http://www.networkworld.com/news/2008/090308-early-security-issues-tarnish-googles.html?page=1 is already an example of the entire browser crashing meaning that it is possible to break out of the tab process into the parent process. But sure they will fix this and we’ll be safe for another week or two. Also, I have no doubt that chrome plans to support community plug-ins (right? They can’t expect to compete with Firefox without them.) – where will these plug-ins run? Inside each tab process, or within the parent process (and how will they communicate between each process) – my point is that yes it’s definitely a step in the right direction, but there are lots of very complex problems to solve if they plan to make the architecture usable, and complexity breeds vulnerabilities.
As for performance – I don’t think we can really compare chrome’s performance with any fully featured browser yet. A buddy of mine [that's you Dom -ed] pointed out that he could get just as snappy a browser if he docked the Mozilla Gecko engine into a gtk widget and called it a browser.
Then we moved onto some philosophical stuff around browser 2.0 (if no-one else has already, I coined this!):
Illan: The bugs and vulnerabilities don’t bother me , its whether it is inherently potentially better designed… I don’t expect it to be perfect out of the box.
Bottom line: If the browser world can benefit from a bottom –up redesign, then Chrome may be a good start, and if (a big if) it is adopted by open source community then no reason it couldn’t piggy back on Mozilla and do some things Mozilla can’t without a redesign. I mean, who was going to try redesigning anything, at least Google has given it a shot.
Good point about the speed though.
If you had to redesign the web for better security, what would you do?
So what we need is a browser re-design, and if not what is the alternative - my response:
Tom: I don’t agree that chrome is a re-design at all – sure they have done some nifty process separation, but I wouldn’t call it “browser 2.0″ [COINED! You just experienced a historic moment on the Internet -tom] just yet. The UI enhancements do look pretty, but that’s really all it is – and it all looks a bit dumbed down. Maybe I would install it for my parents to use – but they are notorious for getting fooled into clicking malicious adverts and the such so I’ll stick with firefox with NoScript for them in the meantime.
If I had to redesign the web for better security I wouldn’t go to google for ideas – their entire business revolves around profiling their users for targeted advertising. I don’t have an issue with that as its the price of good web tools, but to give them a chunk of my desktop too feels a bit big-brother. Google is more and more becoming very invasive and I don’t agree that their intensions with Chrome are to “give it a shot building a browser” – I think they really aim to own the browser market and the unfortunate thing is that they probably are in a position to be successful at it. And maybe they will improve our lives somehow in the process, but at what cost.
If google were concerned with our privacy they would have given us encrypted mail in gmail – not because the technology doesn’t exist, but because it doesn’t help their business. It all sounds like a conspiracy theory but don’t think google won’t hand out your data if pushed – Yahoo was strong-armed into handing over search data to the Chinese government resulting in real people being detained. And even if you don’t feel that no dirt would be found on you – an attacker with your credentials suddenly has your life in his hands. The lines between our digital and physical identities suddenly become scary blurred. [Dom thanks for the ammo here again :) - ed]
Illan ended off with a:
Illan: Ya, Google would hand over my data, they most certainly are not concerned with maximising privacy. I agree that we are putting a lot into Google’s hands. It is getting big brotherish and I don’t like to think about it – which is probably what most people do. I could of course disengage from using their tools – just. In a year or two maybe I will be just too entrenched.
But I am not at all convinced they are trying to own the browser market (not that they’d object but can they really expect to) and what good would it do them with an open source product. I can’t see how they could expect to take over the browser world with a slight improvement. As someone once said, to change the world you have to be not 20% better than the rest, not 100%, but 1000% better. (Paraphrasing desperately). Surely Google isn’t so naïve as to think they could manage it with this incremental attempt at improvement. They can’t believe that just because its Google it will dominate. It’s the browser wars for goodness sake, even Netscape couldn’t win them. Look at Google Talk for example – its certainly no Skype-usurper, its not even better than Skype – although I have to admit its nice that its there for free with anyone who has gmail (and who would normally not bother with an IM).[...snip...]
So what would browser 2.0 be? I certainly think we could do with an “secure application runtime environment” – oops wasn’t that Java Applets? But mediated by a text-based descriptive language - oops wasn’t’ that Mozilla’s XUL or whatever it is called? Maybe browser 2.0 is Flash? Oh no its Silverlight. What happened to Silverlight by the way.
Then he went home and I went to get some lunch. A good morning :) I still haven’t installed Chrome and I don’t plan to, which is unusual for the early-adopter symdrome I suffer from. 6 months ago I probably would have backed Google here - but something just smells fishy. Maybe I’m paranoid, but damn it really bothers me whenever I click that “History” link on the Google search page.
Posted 1 year, 6 months ago at 5:53 pm. 0 comments
Photosynth is awesome for stealing passwords and personal information, especially from idiots who write their passwords on post-it notes. A couple of quick searchs for “office”, “my desk” and “IT office” reveals some interesting results:
I especially enjoy the closeup snap of a notebook above containing meeting minutes, one hell of a dancing pig this photosynth thing!
Update: Found an article about a hacker who was busted after investigators found photographs posted of his cat on his laptop - they managed to zoom into the laptop screen, obtaining a lead as to his identity.
