Posted on

Google’s Evil Browser policy

Gmail Fail

Google’s VP of Engineering (Venkat Panchapakesan) has published one of the most outrageous policy statements I’ve seen in a long time – not in a press release, but in a blog post.

He’s saying that Google will discontinue support for all browsers that aren’t “modern” from the end of July, with the excuse that is developers need HTML5 before they can improve their offerings to meet current requirements. “Modern” means less than three versions old, which currently refers to anything prior to IE8 (now that IE 10 is available on beta) and Firefox 3.5. This is interesting – Firefox 4 has just been released, I’m beta testing Firefox 5 with Firefox 7 talked about by the end of 2011. This will obsolete last month’s release of Firefox 4 in just six months. Or does he mean something different by version number? Anyone who knows anything about software engineering will tell you that major differences can occur with minor version number changes too so it’s impossible to interpret what he means in a technical sense.

I doubt Google would be stupid enough to “upgrade” it’s search page. This will affect Google Apps and Gmail.

The fact is that about 20% of the world is using either IE 6 or a similar vintage browser. Microsoft and Mozilla have a policy of encouraging people to “upgrade” and are supportive of Google. Microsoft has commercial reasons for doing this; Mozilla’s motives are less clear – perhaps they just like to feel their latest creations are being appreciated somewhere.

What these technological evangelists completely fail to realise is that not everyone in the world wishes to use the “latest” bloated version of their software. Who wants their computer slowed down to a crawl using a browser that consumes four times as much RAM as the previous version? Not everyone’s laptop has the 2Gb of RAM needed to run the “modern” versions at a reasonable speed.

It’s completely disingenuous to talk about users “upgrading” – it can easily make older computers unusable. The software upgrade may be “free” but the hardware needed to run it could cost dear.

It’ll come as no surprise to learn that the third world has the highest usage of older browser versions; they’re using older hardware. And they’re using older versions of Windows (without strict license enforcement). There’s money to be made by forcing the pace of change, but it is right to make anything older than two years old obsolete?

But does Google have a point about HTML5? Well the “web developers” who’s blog comments they’ve allowed through uncensored seem to think so. But web developers are often just lusers with pretensions, fresh out of a lightweight college and dazzled by the latest cool gimmick. Let’s assume Google is a bit more savvie than that. So what’s their game? Advertising. Never forget it. Newer web technologies are driven by a desire to push adverts – Flash animations and HTML5 – everything. Standard HTML is fine for publishing standard information.

I’ll take a lot of convincing that Google’s decision isn’t to do with generating more advertising revenue at the expense of the less well-off Internet users across the globe. Corporate evil? It looks like it from here.

Posted on

WPAD and Windows 7 and Internet Explorer 8

I’ve recently set up WPAD automatic proxy detection at a site – very useful if you’re using a proxy server for web access (squid in this case). However, some of the Windows 7 machines failed to work with it (actually, my laptop which is just about the only Windows 7 machine here). This is what I discovered:

It turns out that those smart guys at Microsoft have implemented a feature to stop checking for a WPAD server after a few failed attempts. It reckons it knows which network a roaming machine is on, and leaves a note for itself in the registry if it’s not going to bother looking for a proxy server on that again. A fat lot of use if you’ve only just implemented it.

If it fails to find a proxy, but manages to get to the outside world without one it will set the following key:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\
WpadDecision = 0

If you want it to try again (up to three times, presumably), you can simply delete this key. You can disable the whole crazy notion by adding a new the DWORD registry key:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride = 1

You may well want to do this if you’re using a VPN or similar, as I really don’t think Windows 7 has any completely reliable method of determining the network its connected to. I’m impressed that it manages to ever get it right, but I’m sure it’s easy enough to fool it. Does anyone know how it works?

Posted on

Infosec Europe 2011 – worrying trend

Every Infosec (the Information Security show in London) seems to have have a theme. It’s not planned, it just happens. Last year it was encrypted USB sticks; in 2009 it was firewalls. 2011 was the year of standards.

As usual there were plenty of security related companies touting for business. Most of them claimed to do everything from penetration testing to anti-virus. But the trend seemed to be related to security standards instead of the usual technological silver bullets. Some of the companies were touting their own standards, others offering courses so you could get a piece of paper to comply with a standard, and yet others provided people (with aforementioned paper) to tick boxes for you to prove that you met the standard.

This is bad news. Security has nothing to do with standards; proving security has nothing to do with ticking boxes. Security is moving towards an industry reminiscent of Total Quality Assurance in the1990’s.

One thing I heard a lot was “There is a shortage of 20,000 people in IT security” and the response appears to be to dumb-down enough such that you can put someone on a training course to qualify them as a box-ticker. The people hiring “professionals” such as this won’t care – they’ll have a set of ticked boxes and a certificate that proves that any security breach was “not their fault” as they met the relevant standard.

Let’s hope the industry returns to actual security in 2012 – I’ll might even find merit in the technological fixes.

Posted on

Google Phishing Tackle

In the old days you really needed to be a bit technology-savvy to implement a good phishing scam. You need a way of sending out emails, a web site for them to link back to that wouldn’t be blacklisted and couldn’t be traced, plus the ability to create an HTML form to capture and record the results.

Bank phishing scam form created using Google Apps
Creating a phishing scam form with Google Apps is so easy

These inconvenient barriers to entry have been swept away by Google Apps.

A few days back I received a phishing scam email pointing to a form hosted by Google. Within a couple of minutes of its arrival an abuse report was filed with the Google Apps team. You’d might expect them to deal with such matters, but this still hadn’t been actioned two days later.

If you want to have a go, the process is simple. Get a Gmail account, go to Google Docs and select “Create New…Form” from on the left. You can set up a data capture form for anything you like in seconds, and call back later to see what people have entered.

Such a service is simply dangerous, and Google doesn’t appear to be taking this at all seriously. Given their “natural language technology” it shouldn’t be hard for them to spot anything looking like a phishing form so, I decided to see how easy it was and tried something blatant. This is the result:

No problem! Last time I checked the form was still there, although I haven’t asked strangers to fill it in.

Posted on

Fetchmail, Sendmail and oversized emails

There’s a tendency for lusers to try to email anything these days. If you though a few Gig of outgoing mail queue was enough you haven’t come across the luser who decided to email the contents of a CD (uncompressed) to all her friends. Quite what they’d have made of their iPhone trying to download it I’ll never know.

Sendmail has a method for limiting emails to a sensible size. As a reminder, inside host.example.com.mc you need to add:

# The following sets the maximum message to 5Mb - otherwise it's infinite
define(`confMAX_MESSAGE_SIZE', `5242880')

Then run “make” and “make install” and “make restart”. This will generate the sendmail.cf (and any hashmaps) before restarting. The bit you always forget when changing .mc files is the “make install”. This is all for FreeBSD – Linux types, please do it your own way.

So this is great – anyone sending an over-sized email is bounced from their server, and local users submitting email will be similarly clipped into the world of sane and sensible (if you regard something as large as 5Mb as sensible for an email).

But I came across one interesting issue recently and it could happen to you, too, if you’re using fetchmail.

For those who haven’t come across it before, fetchmail pulls emails from a POP3 box and delivers them to local users – dropping them into your local MTA by default. This is reasonable, as everything then goes through the spam filtering, procmail and anything else you have defined. It’s really useful for legacy situations where someone’s ended up with a POP3 box somewhere and you need to integrate it with the rest of their mail.

Fetchmail does plenty more besides, and has a config file to match the functionality. Presumably as a reaction against the complexity of the sendmail.cf syntax, this one tries to operate in plain English. I’ve never quite figured out the full syntax, but it’s designed to be “flexible” and figure out what you’re trying to say. Personally I don’t think it succeeds in being any more friendly then sendmail.cf in spite of being on the other end of the spectrum.

Anyway, the fun comes when fetchmail downloads an over-sized email from the POP3 box and delivers it locally via Sendmail. Sendmail will reject it, and send a bounce back to the original sender. So far, so good but f Sendmail is running as a cron job every five minutes, the luser gets a bounce back every five minutes because the outsized mail is stuck in the POP3 box. Opps! It may serve them right, but they shouldn’t be allowed to suffer for too long.

Fortunately one of fetchmail’s many options allows you to control the maximum download size, if you could figure out the syntax. It’s available as a command-line option –l , but if you prefer to keep things in the .fetchmailrc file (the best plan) you’ll need to proceed as per the following example. They keywords are “limit” and “limitflush”.

  • local-postmster-account is the login for your local postmaster – undelivered emails go there.
  • pop3.isp.co.uk – mail server with the POP3 box
  • users-domain.co.uk – Domain name who’s email ends up in POP3 box above
  • pop3-username, pop3-password – what you use to log into the POP3 box
  • Tom, Dick and Harry are local mailboxes, with tom being the default.
    set postmaster local-postmster-account

    poll pop3.isp.co.uk proto pop3 aka users-domain.co.uk no envelope no dns:
    user "pop3-username", with password "pop3-password",
    limit 5242368 limitflush to

    dick
    "dick@users-domain.co.uk " = dick
    "richard@users-domain.co.uk " = dick

    harry
    "harry@users-domain.co.uk " = harry

    tom
    "tom@users-domain.co.uk" = tom
    "*@ users-domain.co.uk " = tom

    here

    This isn’t intended as a tutorial in writing .fetchmailrc files – only an example of the use of limit and limitflush.

    So what’s going on? The limit keyword must be part of the poll statement, and is followed by the size (in bytes) of the maximum email to be retrieved. In the example it’s 512 bytes less than the 5Mb used in Sendmail (I feel I need a bit of slack on a boundary condition; it may be okay if they’re identical but I why push your luck?)

    Please read the fetchmail documentation for full details (although it’s light on examples). With just the “limit” keyword in use, over-sized mails will be left I the POP3 box. The following “limitflush” keyword will silently delete over-sized emails so they don’t bother you again. You may not want to do this! If you don’t, someone will have to retrieve or delete the emails form the POP3 box manually.

    Note that putting a limit on the download will prevent the bounce messages going to the original sender as it won’t get as far as sendmail.

Posted on

Billing problems 1899.com

1899 and 18866 are two apparently linked low-cost telecoms companies. They’re so-named because that’s the prefix used to route through them.

Now some time ago I started using their services and wrote a couple of articles recommending them, with the proviso that you shouldn’t expect any kind of customer service. The company appears to be based in Switzerland and they don’t want to talk to anyone. But they’re legit. The only thing I said back then was to pay by credit card and get consumer protection. If you don’t mind this, they do deliver. Or did deliver.

After many years I had to change my credit card number, so I filled in the billing change for both companies. 1899 took no notice, and after several months tried to bill the old card – and was rejected. I made sure they had the right one, and told them to try again, but they wouldn’t. When I eventually got through to someone apparently from 1899 they said it was their policy not to try a card a second time and asked me to send the money using an international transfer, after which they’d start billing the card again. I don’t think so. This could have been anyone’s bank account, and if genuine it’s a very strange way to do business – as well as costing me £20 for the transfer. Apart from which, they weren’t trying to charge the old card again – it was a new number. That’s the point!

Their terms of business say you need to pay by credit card – no problem, they can charge the card.

They didn’t.

I wrote back saying charge the card, or if you really don’t want to, you can have cash. This is an offer to pay using legal tender – if they refused they won’t have a leg to stand on if they want the money any other way. I assumed they’d see sense.

They didn’t.

This went back and forth. I made it clear – charge the card (recommended), take the cash or I’ll see you in court. It’d be interesting to meet these guys if they went for one of the last two options.

It’s over a year now. I still owe them for the calls, and haven’t heard anything about it. It’s annoying that I owe them money. The service doesn’t work any more (unsurprisingly). I can manage without it. 18866 still works (that half of the company is using the correct card).

So do I still recommend 1899 and 18866? Well I suppose I do, but as I said in my original articles, it’s fine when it works but don’t expect any sane or sensible customer service if it doesn’t.

Posted on

Oil war or humanitarian mission?

I’ve woken up today to hear we’re in yet another war to protect oil supplies, this time in Libya.

What’s actually happening is that a bunch of dodgy people are trying to take control from the existing a dodgy government by force of arms. The UN (a label of convenience) is weighing in on the side of the anti-government faction that controls the oil fields (or did yesterday, things are moving fast). The excuse is that they’re protecting civilians.

Now this is something of a civil war. There are four groups involved. Firstly there are the government forces. They’re not civilians and it’s their job to protect the state. If we had an armed uprising in the UK (such as the IRA), the state army is there to protect the government. The Libyan army likewise.

The second group are the anti-state “army”. Actually they’re not an army; they’re several groups of civilians with guns and bombs. The state army is defending the state against them, as would be expected. Is the UN protecting these “civilians” from the state army? It looks like it; or more specifically the UN is providing military support to this groups, against the government.

The third and fourth groups are the pro and anti-government civilians. By siding with the anti-government lot (simplistically, those in the east) you could argue that you’re protecting those civilians, but as you’re not (apparently) protecting the pro-government civilians in Tripoli from the rebels, it’s a very thin argument.

All governments in the region are dodgy (Israel is the only real democracy as we know it). The rebels are dodgy. It’s a dodgy place, and there are dodgy people around. It’s the way things are, and we should be leaving them alone. Otherwise we’re imposing our version how things should be on someone else. But unfortunately a lot of these places are financed by the oil we’re dependent on buying from them, which is what makes Libya a special case (along with Iraq).

Pretending that it’s a “no fly” zone for humanitarian reasons, basically siding with the rebels, is a scandal. If we’re going to war we should be honest about the reasons, not making them up after the event (like Blair and Bush). And if they think they’re backing the right horse with military support and they’ll be rewarded later, they know nothing about the culture in that region. I’m not even sure they’ve backed the right horse; Gaddafi’s government doesn’t roll over easily.

Posted on

Cameron on Gaddafi – it’s personal

I’ve just watched David Cameron being interviewed about the situation in Libya. He’s saying things like “Stop Col. Gaddafi”, and “Col. Gaddafi is brutalising his people”, referring to Libya’s stated compliance with a ceasefire.

This is worrying. Col. Gaddafi isn’t attacking civilians, repressing his people or doing any of the other things David Cameron and Barak Obama are accusing him of. HE is sitting in an office. Elsewhere in Libya there are people with differing interests fighting each other. It’s called a civil war.

When our politicians refer to such problems in terms of a specific personality, such as Col. Gaddafi, Saddam Hussein or even Adolf Hitler we’re in for trouble. It’s not one person creating the situation, but a sizeable group of people with a vested interest. They’re missing the point. Or more likely, they’re hoping we’ll miss it.

Posted on

Alternative Voting

I’ve just had a very nice chap on the ‘phone asking me if the AV campaign could count on my support in the forthcoming referendum. I told him that would be premature.

AV is attractive, but so is the existing, tried and tested system that has done us fairly well for nearly a century. Prior to that we had a similar system, except that women weren’t allowed to vote. This was probably wrong, but made sense at the time as women haven’t always been as clued up as in modern times (which was definitely wrong). Going back further we’ve had systems where (crudely put) only the best educated in society have had a vote, to various extents.

The idea that democracy is good, and therefore more democracy is better, doesn’t really hold water. Democracy was popularised by the ancient Greeks in Athens, but even back then they could see the problems (Plato’s Republic is an interesting read, and Socrates was a smart guy with a solid handle on it).

The good thing about democracies is that they allow you to boot out a bad government, which is why we must keep them. But do they get you a good government? I’d say, based on the evidence, that the more democratic you get, the worse the worse decisions the government is likely to take.

The AV camp keep pointing to Australia as a working example. If this is the best they can come up with, we’re in big trouble. Just take a look at Australian politics in action and you’ll see what I mean.

Another of their arguments, to quote the Electoral Reform Society, is that it “Penalises extremist parties, who are unlikely to gain many second preference votes.” They don’t back this up with research, so here’s an anecdote about the BNP (argue amongst yourselves as to whether they’re what was being talked about).

In the 2010 elections, talking to voters (especially in the less well-off and looser-tongued areas) the subject on the BNP came up. “They make a lot of sense and I’d vote for them if I thought it would do any good…” was a message I got quite frequently, in spite of the pariah status imparted to the BNP by the media. This was followed by “but I don’t want Gordon Brown to get back in.”

And there’s the rub. The AV camp believes people will vote positively with AV: vote for who they really want. What they don’t realise is that, at present, a lot of people are voting against who they don’t want, more than anything else.

So how will “extremist” parties fair under AV? Pretty well, I suspect. People would have voted for the BNP with their first choice, and against Gordon Brown with their second. The Electoral Reform Society idea that extremists will be disadvantaged needs some justification.

It’s not just me that thinks this, however. Take another minority extremist party, the Greens (they want to do some pretty extreme things with the economy); what do they reckon? Well their conference voted to back AV and they’re actively campaigning for it. If the Electoral Reform Society is correct then surely the Greens would be wiped out. That scenario doesn’t seem to bother them overly.

On the other hand, the sake-up that minority parties could bring might be just what we need as a society. Remember, you don’t need end up with an MP from such a party, but the realistic threat they might get in is bound to influence the policies of the main parties. For example, in the general population there is a majority to bring back hanging (never mind the issues involved with multiculturalism). The educated liberal elite in the main parties are always putting the brakes on the death penalty when the idea comes up, but if AV really does give the people a purer voice, things may get interesting on this any many other issues.

Posted on

No Fly zone in Libya is a bad idea

EU Foreign Ministers are planning a No Fly zone for Libya to protect anti-government protesters, and Russia has decided to stop selling the Libyan government arms. No one should have been selling arms in that part of the world, but “no fly” zone?

Let’s be clear – a no fly zone involves either words (which won’t work) or attacking Libya to enforce it.

The Libyan government is fighting armed protesters/rebels and fighting back. It’s their prerogative. A no-fly zone would obviously help the rebels because they don’t have an air force. The UK government is doing various things to ingratiate itself with the rebels, probably because they’re close to the oil fields. But is this wise?

Gaddafi’s lot are as odious as they come, but we now seem to have an agreement to leave them alone and they’ll leave us alone. Blair decided this in 2004, visiting the Mad Dog in Tripoli and making peace (forgiving him); to their credit the Conservatives weren’t so keen. But is anyone stopping to think what the rebels might be like? Based on previous experience, they won’t be terribly friendly if they win.

This is something the Libyan people need to decide. If we get a “no fly” zone it means attacking Libya and taking sides in what could turn out to be a civil war. We should be careful what we wish for.