Categories
Google In The News Internet

DoubleGoogleClick?

So Google acquires DoubleClick for 3.1 billion dollars. There doesn’t seem to be any word on how this will integrate (or be kept separate) from AdWords/Adsense. I’m interested to know what their plans are.

Between Google Search, Google Analytics (on many websites), AdSense, and now DoubleClick, virtually all websites on the web have some link to Google. Skynet is upon us. Google recently updated their privacy policy. I’m pretty certain that was in preparation for this move, and to avoid some controversy.

Categories
Apple

Mac OS X 10.5 Leopard Delayed

According to Apple Mac OS X 10.5 Leopard is delayed until October. This was posted on Apple Hot News (though no permalink unfortunately meaning it will likely disappear:

iPhone has already passed several of its required certification tests and is on schedule to ship in late June as planned. We can’t wait until customers get their hands (and fingers) on it and experience what a revolutionary and magical product it is. However, iPhone contains the most sophisticated software ever shipped on a mobile device, and finishing it on time has not come without a price — we had to borrow some key software engineering and QA resources from our Mac OS X team, and as a result we will not be able to release Leopard at our Worldwide Developers Conference in early June as planned. While Leopard’s features will be complete by then, we cannot deliver the quality release that we and our customers expect from us. We now plan to show our developers a near final version of Leopard at the conference, give them a beta copy to take home so they can do their final testing, and ship Leopard in October. We think it will be well worth the wait. Life often presents tradeoffs, and in this case we’re sure we’ve made the right ones. [Apr 12, 2007]

On the plus side I guess a few months of being feature complete would provide for a very stable release. I wonder if pre-orders will be taken prior to October? June seems slightly early to start. My guess would be Sept 1, with an announcement of when to expect pre-ordering in June.

Categories
In The News Mozilla

Spreading Firefox on Campus

Here is a little story from Appalachian State University about someone promoting Firefox. This guy seems pretty serious about his effort. And he’s a Freshman, so he’s still got time.

Categories
Mozilla Security

WebApp as Desktop App Security Model?

Recently there has been a fair amount of talk about bringing web applications off of the web and onto your desktop, or to put it in really simple terms: providing a bare-browser that has no UI but the site you visit. It sounds good, but I’m not convinced it’s quite workable, at least at this point. A few example of these attempts are:

The first two are somewhat generic in purpose, while FullerScreen is intended more for the task of using a web page as a presentation medium. Making it a potential replacement for something like PowerPoint.

I’m not quite sure this is really a workable model for the “average user”. Take for example the following scenario:

Say you use this as a way to make your Gmail (or Yahoo) account feel more like a client-size application. You receive an email to visit a site. You click the link and visit the site. You think you are using Firefox. In reality you’re really viewing a spoofed window. Even if remote XUL is disabled you can still do a fair job with just a bunch of cut up GIF’s. Enough to fool a casual user. Firefox has some basic countermeasures to help prevent this, such as keeping some UI.

This could be prevented if a “windowless” browser always prompts or provides some other sort of notification before connecting to an unprivileged host. Or better yet: Simply launches the real browser rather than handling untrusted URL’s. That would be better and less Vista-like.

So that leaves me with the question: how should such an application behave? A true desktop application typically launches the default browser on the computer. Notable exceptions being things like Real Player, Google Earth, etc who embed a browser. How do you give a desktop like feel to an application, yet still provide the UI feedback to the user that a browser’s chrome provides?

My suggestion is simply limiting by a hostname. You have a Gmail app, you trust Gmail and nobody else. In my mind an application does 1 task and does it well. If it was intended to feel like a Gmail client, then it should do that, and that only. Want to visit that website with the monkey that sniffs his own butt? Cool, but do it in your own browser.

I’d be curious what others thought of this potential problem. I think with XULRunner looking more stable, WebKit being available to Mac developers and the merging of the web and OS, things like this are a potential problem. We are getting more and more ways to embed browsers into things (widgets, extensions, etc.). This is going to be more of an issue moving forward.

This isn’t to say I don’t like the above products (I actually really like them). I just haven’t figured out exactly how they fit into the current security model of local:safe, web:devils-playground. I don’t think they do. I think they potentially break the barrier between the web and desktop applications. We’ve all been hoping would be broken. The question is: are we ready?

The higher level question is: How do you distinguish between trusted and untrusted data when it all looks like it’s local?

Categories
Mozilla Web Development

IE Table Border Bug?

I encountered this the other day. Firefox, Safari and Opera do what I expected and believe to be correct. I’m curious if anyone can explain this, or knows of a workaround that “doesn’t suck”. Take the following testcase:

< !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<HTML lang="en">
 <head>
    <title>IE Table Border Bug</title>
    <meta HTTP-equiv="Content-Type" content="text/html; charset=UTF-8">
        <style type="text/css">
        table {
            background-color: green;
            border-collapse: collapse;
            border-spacing: 0px;
        }
        table td {
            width: 100px;
            border-bottom: 3px solid red;
        }
            table td.strip {
            background-color: #fff;
            border-bottom: 3px solid #fff;
        }
    </style>
</meta></head>
<body>
<table>
       <tr>
           <td> Test</td>
           <td class="strip"> Test</td>
           <td> Test</td>
       </tr>
 
</table>
</body>
</HTML>

Example

Pay attention to the bottom border. Should be flush with the green cells.

Firefox 2.0

Firefox Render

Close Up:
Firefox Render (Close Up)

IE 6

IE Render

Close Up:
IE Render (Close Up)

IE 7

IE7 Render

Close Up:
IE7 Render (Close Up)

Strange, but interesting. Excuse the poor quality of the screenshots. I cut these up really quick. Perhaps this weekend I’ll do a nicer job.

Categories
Personal

Bacon

Is bacon considered red meat? I saw this on TV this morning wile flipping through the morning news. During some stock video of various red meats it was mixed in with mainly shots of beef. It comes from a pig, so I guess under the definition “anything from a mammal is red meat” it is. Though pork is traditionally white meat.

Bacon… meet tomato a vegetable fruit.

Categories
Security Tech (General)

Getting A Non-RFID Credit Card

Chase Freedom VisaThe Chase Freedom credit card isn’t bad (1% cash back, 3% on certain items). There is an unadvertised downside. While Chase doesn’t promote it very well, the card contains a tiny RFID chip. This allows you to pay for something using a contact-less terminal (no swiping). Just put your card near the reader and it registers. Is it really any quicker than swiping? Who knows, but likely not by much.

It looks like a regular credit card, same thickness, size, and shape. Just a tiny emblem exists on the upper right hand side to distinguish the onboard cargo. You can see it in the image above. A larger version of it is below:

Blink Logo (sm) Chase

For those wondering, the actual RFID chip seems to be on the left side, opposite the Blink logo.

Chase brands the technology Blink, American Express calls it ExpressPay, MasterCard calls it PayPass. They are all pretty much the same thing.

RFID doesn’t have a great reputation right now. There are some privacy and security concerns, such as an unauthorized party reading your credit card without you knowing. Think this is a tin-foil-hat mentality? It’s been done already. I haven’t found anything online to indicate criminal exploitation yet, but it’s possible and will happen.

Chase Flexible Rewards VisaChase doesn’t advertise this, but if you contact them by phone or email, they will send you a replacement card, without the “Blink” capability. The actual plastic card is their “Rewards Visa” though the paper it’s attached to clearly says “Chase Freedom”. It’s just plastic, the credit plan is in the account not the card. So there you have it, you can get a secure credit card if your concerned about security.

Chase claims “Blink” it’s very secure, but I’m still not personally comfortable with the technology. According to their FAQ (in PDF format):

10. Are blink purchases secure?

Yes. As always, you are 100% protected against any unauthorized purchases. These transactions are safe because they are protected by an additional level of encrypted security. You must deliberately use the Chase card with blink at the point-of-sale to make a transaction. The Chase card with blink needs to be within an inch of the special reader and correctly oriented to be read. In addition, blink transactions use specific data that is protected by the highest level of security.

Judging from the speed in which it can be swiped (as demonstrated on the Chase blink website) one could technically walk by with a bag containing a reader and just brush by the victim to read the card in their pants pocket, sit next to you on the bus/train, etc. Easier than pickpocketing since no actual contact needed (such as digging a hand into someone’s pocket).

We already know they can clone RFID passports. What stops someone from reproducing the credit card, then using it? With regular cards, my wallet is an effective firewall. No way to read the magnetic strip or copy the numbers off of it without the actual card visible. And if my card is missing, I know I have a problem. I always keep it in my wallet so nobody can just look at it. This is a pretty secure way to handle a credit card. With this potential crime, I wouldn’t even know right away, and by the time I do realize I wouldn’t have any idea when/where it was compromised. It could potentially be months between the theft and usage of stolen data.

I’d like to see this tech a little more proven in the “real world” before I jump on board. For now it’s just good to know you don’t have to live with it, you can get a non-RFID card. I didn’t find this advertised anywhere on the Chase website. I guess they realized us tin-foil-hat people would ask for a blink-free card, so they made sure to have an alternative. I must give them credit for that (no pun intended).

Just call/email Chase and ask for a non-blink version of the card. They told me 5-7 days for delivery. No hassle. I was very pleased how painlessly they made it. It arrived in about 5 days.

Categories
Around The Web Internet Mozilla

April Fools 2007

Some of my favorites for this year: