Live from Austin!

How to make cookies work the way they should work:

1. If you’re using Internet Explorer, upgrade to Firefox.
2. Install the CookieSafe extension. (For Firefox 3, you want CS Lite.)
3. Restart Firefox.
4. Open Edit→Preferences→Privacy. In the Cookies section, uncheck "Accept cookies from sites".
5. If you’ve been accepting cookies from all kinds of sites, clear your cookies with the Private Data "Clear Now" button.

That’s it. Now, Firefox will block all cookies by default. If you navigate to a site that has a legitimate reason to use cookies—for example, a site you log in to—you just need to click the cookie icon bottom right of the Firefox window and a menu will pop up. From the menu, you can choose to allow cookies for that site, and that site alone, with a single click.

No more being spammed with dialog boxes from sites that try to send you a dozen third-party ad-tracking cookies. No more painful editing of lists of domains allowed to set cookies.

Frankly, this is how they should make cookies work in Firefox 2.0.

NoScript

Add the NoScript plugin and JavaScript works the same way.

Awesome! I’ve entered a Firefox enhancement request asking that this be the UI for cookie and script security in future versions of the browser. If you agree, please vote for it.

Microsoft has announced its new tenets to “promote competition”, so I thought I’d take a look at them. I wasn’t impressed.

1. Installation of any software. Computer manufacturers and customers are free to add any software to PCs that run Windows.

Translation: “Your computer belongs to you, not us.”

Yes, you’re actually allowed to install any software you like on the computer you build or purchase. It’s hard to believe that Microsoft even have to write this down. That they feel it’s some kind of new principle to apply “going forward” is a shocking admission.

Continue reading »

Internet Explorer doesn’t render my web site properly. The navigation bars all appear at the bottom, instead of on the right where they belong.

It’s not a bug with the web site; the problem is that IE doesn’t support web standards properly. I’m not interested in working around your buggy browser when you can upgrade to something that works, for free.

Check out the award-winning Mozilla Firefox. It’s much better than IE:

• Firefox helps block viruses, pop-up ads and spyware.
• It’ll let you subscribe to my site and get told about updates automatically.
• It has browser tabs, letting you open multiple pages at once without having to juggle multiple windows.

[Web developer geek talk. All others can skip, unless you want to know why web developers hate Internet Explorer.]

CSS sprites and single-image rollovers are great. However, if you try to use position: absolute to put them at specific points on the screen, you’ll hit an unpleasant Internet Explorer bug.

Specifically, your rollover will activate when you hover the mouse over it, but it won’t deactivate.

After much experimentation I discovered the IE bug that leads to the misbehavior:

In IE6, Link elements only de-hover when the mouse hits the rest of the block, such as the text or border around the <a> element. For absolutely positioned rollover buttons, there is no rest-of-the-block.

However, with a couple of egregious hacks, you can get your rollovers working again.

Step 1 is to put a large margin on all the <img> elements. The margin counts as non-hover area, and will cause the rollover to de-highlight when the mouse touches it. Make sure the margin is large enough that the user is unlikely to be able to move the mouse over it without touching it.

Step 2 is to position the rollovers by wrapping them in a <div> rather than by positioning the <a> or <img> elements. If you position the rollover itself, the margin is ignored; if you put the rollover in a positioned <div>, the margin remains active.

Step 3 is to subtract the size of the big margin from all your rollover coordinates, to allow for step 1.

So the end result is something like:

a img { border: 64px; }
div#c1 { position: absolute; left: 200px; top: 200px; }
a#r1 img { background: url(whatever.gif) no-repeat; background-position: 0 0; }
a#r1:hover img { background-position: 0 -100px; }


[...]

<div id='c1'><a href="whatever"><img src="blank.gif" width='100' height='100' alt="Whatever!" /></a></div>

[...]

Share and enjoy. Unless you’re someone on the IE development team, in which case get back to work and fix some of those bugs.

New Windows / Internet Explorer security hole:

1. Upload any Windows executable you like to a web server.

2. Set up the web server to send .exe files as text/html.

3. Put a CLSID in the filename.

4. Post links to the file, cloaking them as http://www.innocenturl.com%01%00@www.yoursite.com/virus/whatever via the previously announced URL cloaking bug.

5. Wait for anyone using Internet Explorer to click on the innocent-looking link and get asked if they want to open the HTML web page.

6. Cackle as their computer downloads the executable and runs it, without prompting them further.

Solution: Switch to Mozilla, or don’t click on “Open” to open files.

Since I’ve just spent a while updating three Windows machines with this week’s half a dozen security and antivirus updates, here are some statistics I found interesting.

Another interesting statistic: Microsoft is trying to reduce the number of security bulletins it has to issue by bundling multiple products’ vulnerabilities into a single bulletin. Each security bulletin now covers an average of 2.5 products.

Number of Outlook-specific viruses and worms: 274.

Windows 2000 is a piece of shit.

I now have a new(er) ThinkPad at work, which will run Windows 2000. People have often said to me “Yes, Windows 95 was awful, and Windows 98 was bad, and Windows ME was flaky, and Windows XP isn’t very good… but Windows 2000 is great. Stable, fast, reliable.”

I took their word for it. Yes, I know, paint the word “SUCKER” on my forehead. Now I’ve had a chance to experience it first hand, I’ve discovered that Windows 2000 is every bit as shitty as Windows 98; it just costs a hell of a lot more.

Let’s start with the bootup. Yes, it boots much faster than Windows 98. Then it sits there saying “Preparing network connections…” for over a minute (I timed it), doing nothing at all. No disk activity, practically no network activity. How long does it take to do a DHCP lookup anyway? It turns out that it’s faster to boot Windows 98 on the old Pentium II machine than it is to boot 2000 on the Pentium III that’s supposedly twice the speed. Crap, really crap.

Plug’n’play. Oh yeah. I have two devices—a PS/2 serial trackball and a 3com ethernet PC card. It took three attepted installs of the drivers, and two system crashes, before Win2K finally gave in and recognized the trackball. Getting the system configured to use the ethernet card was easy in comparison—at least, getting TCP/IP to work was easy. Getting Microsoft file sharing to work… well, I still haven’t. I’m using rsync under Cygwin to copy files. It’s faster than SMB anyway. (56 bytes for a 5MB file—now that’s what I call a low protocol overhead.)

Of course, every single networking configuration change requires a one minute wait while it ‘prepares’ the network connection, followed by a reboot, followed by another one minute wait during bootup. That’s assuming the system doesn’t crash, which it did once. Or spontaneously reboot, which it has done twice while trying to browse local SMB volumes. I think I’ll just stick to rsync. Obviously Microsoft couldn’t write a reliable, fast file transfer protocol if their business depended on it. Fortunately for them, it apparently doesn’t.

Mention of reboots brings me to stability. No more blue screen of death in Windows 2000, they told me. That’s true—it goes straight to the black screen, then the BIOS menu comes up and the boot process begins again. To think I used to think the bomb dialog on the old classic Mac OS was unhelpful! It’s difficult to see how Windows 2000 could suck more in this area. More frequent random reboots? Or perhaps future releases of Windows will randomly scramble the filesystem? I guess the workaround is not to use Microsoft file sharing, as that’s what seems to trigger the reboots.

Reliability? Last bootup web browsing worked, but instant messaging didn’t. This bootup I powered the machine off for ten seconds first, and now they’re both working. Any error messages or explanation? Nope. Windows 2000 just sucks.

Thank goodness I have “Windows 2000 Professional”, and not the crappy amateurish version. I wonder if I can hack the splash screen to put in the missing quote marks?

Probably not. One thing that’s clear about Win2K is that the iron fist of Microsoft is in control. Don’t like Outlook Express? Well, you’d better get used to it, because you can’t uninstall it. Try add/remove programs, and there’s no entry. Try to delete the files, and Windows arrogantly tells you that you’re not allowed to, even as Administrator. Hack around that restriction and forcibly delete the files, and you encounter the final indignity: the next time the system demands that you reboot, it copies all the files back again from a hidden directory.

Yes, in the wonderful world of Windows 2000, Microsoft waste your disk space with two entire copies of every piece of bundled crappy bloatware that you don’t want, just so that they can be sure it’ll be there whether you like it or not. Presumably the idea is that I’ll say “Oh, well, since I have to have Outlook Express and Internet Explorer and NetMeeting, I guess I might as well use them.” As you can probably guess, this sends me into a seething rage. I have resolved that I will delete NetMeeting and Outlook Express, even if I have to use a sector editor to do so.

The worst part of this whole Windows 2000 experience is that it’s chips away yet another piece of my faith in humanity. As long as I could believe that Windows 2000 wasn’t entirely a shoddily-written piece of garbage that an undergraduate hacker would be ashamed of, it was possible for me to believe that 90% of the computer users out there were not in fact deluded morons. I thought that they chose to use an OS which, although ugly and expensive, at least worked and would run lots of software.

Now I know otherwise. Now I know that the people who evangelize to the reliability, scalability and ease of use of Windows 2000, really are a horde of hopelessly brainwashed Windozer zombies. Why else in the name of sanity would anyone fork out money for crap like this? If Microsoft announced the new Microsoft Spiked Dildo at a price of $500 a year, I bet the ’dozers would be out there at midnight on launch day, bent over and greased up…

Downloaded Mozilla 0.9.8. It now has support for some Mac OS X native user interface elements, so it looks slightly less crappy. However, it crashed within the first couple of minutes of using it.

Downloaded iCab X latest preview release. Doesn’t render my home page correctly; apparently the CSS support is lacking.

OmniWeb has a lovely interface, but also lacks proper CSS support.

Oh well, looks like I’m stuck with Internet Explorer for now.

Mark came over, bringing his Compaq PC which has been behaving oddly. A little exploration revealed that all kinds of vital files had been deleted from the hard drive—some DLLs needed for Windows domains, a few key bits of Internet Explorer, and the whole of Outlook Express, for example.

After half an hour or so fiddling with the Network control panel, rebooting, then fiddling with it some more, I managed to get the machine to request an IP address and join the network. Once that had been achieved, it was relatively simple to siphon off all his data via a combination of SMB and FTP, and burn it all onto some CDs.

Then we tried booting from the recovery CD, only to find that the recovery CD merely starts a batch file on a separate partition of the hard drive. Yup, no Windows install CDs supplied, and you’ve guessed it, the recovery partition was hosed. So we deleted the data, and Mark’s going to take the machine back under warranty for the store to reformat the drive and reinstall Windows.

I’m not sure what the cause of the problem was, but it looks awfully like a malicious hacker or trojan horse program. I’m guessing ‘hacker’, because we’re talking about a non-firewalled Windows box on a cable modem connection, but with up-to-date virus scanner software.

Anyway, after seeing how much faster my 350MHz G4 is than his 600MHz PC, Mark now has Mac envy.

It seems that Microsoft Internet Explorer keeps a record of all web sites you ever visit, and all search engine terms you type in to any search engine—even if you tell it to clear the history! It also collects all your cookies from every site you visit, in a separate set of secret folders hidden away from the normal cookie folder—so even if you think you cleared out your cookies, you probably didn’t.

They’ve clearly gone to a lot of work to prevent people finding these hidden files too—they’re specially flagged to stop them displaying in the DOS shell or Windows. Even if you unflag them, special code in Windows will hide them again next time you reboot. The code is hidden away in rundll32.exe, which is supposed to be just the tool that runs 32-bit DLL libraries. Sneaky or what?

In fact, only the old Windows Explorer program (left over from Win3.x) will show the directories. Even then, Windows is specially patched to prevent you from looking at the files unless you copy them somewhere else first!

So what’s in these files? Well, looking at my own machine, I see a log of sites I’ve visited that I know I haven’t been to this year, and searches for stuff I was researching last year as well. There are I can think of no legitimate reason for this information to still be stored in database files on my disk. Even ignoring the possible privacy implications, all this unencrypted secretly logged data represents a significant security risk. Do I want anyone who gains physical access to my machine to be able to get my online banking account details? I don’t think so.

For more information and a guided tour of what Microsoft have secretly stored on your hard disk, see <URL:http://www.f***windows.com/content/ms-hidden-files.shtml> I think I’m about to switch browser, now that Mozilla seems stable enough to use… I’m glad I’ve never used Outlook Express.