Firefox 3 First Impressions

+/-:
+ Faster
+ Lighter
+ Better default theme
+ Cool new features

- nothing so far

Download Link

Firefox 3 Beta 2 – Not so fast

Sadly, the most important addon I use, Google Browser Sync is still not compatible with Firefox 3b2. Google needs to stop slacking… or would need to if it had competition :/

Anyway a few other addons I use are also not compatible yet: Google Gears, DownThemAll, Adblock Plus and the Growl addon.

Oh well, guess I’ll have to wait in memory leak land for a while – at least until Google releases a compatible browser sync.

News From The Front Of The Second Browser War

* HTML5

* JS2

Browser Windows Inside The Application

Let’s skip the part about the why – that’s for another post, maybe. I want to create an application that has browser windows inside it. I’m hardly the only person to want to do this but there seem to be surprisingly few ways to do this if you consider cross-platform support a must.

Java can’t do it. In fact after searching I was only able to find 2 options:

Option a) wxMozilla – I already knew this one but considering the last version of it (0.5.4) came out in 2005 and there are at least few posts/emails around the web seem to indicate some problems – though I haven’t investigated this thoroughly.
The big plus of wxmozilla is that I believe this is what was used to develop gush and what I want to do (want != will) is very similar to gush in terms of GUI.

Option b) GtkEmbedMoz/Gecko# – this is the solution that I’m leaning towards.

Does anyone out there know any other options? Preferably something usable with either Java or Python (I really don’t feel like coding in C++) and Linux/Mac/Win support would be nice though only Linux/Mac support is strictly required.

UPDATE: having looked at things in more detail I don’t think GtkEmbedMoz/Gecko# is a good solution for me based on the OSX support and the fact that I’d rather use python for this. That leaves me with wxMozilla as the only option for now (and I’m not sure that it will work).

UPDATE2: while what is (was?) the main page for wxMozilla doesn’t show it, there is an April 2006 version of wxMozilla on the sourceforge page.

Making Windows look good – Linux themes in Windows

I learned about Linux themes in Windows via the Tux Vermelho blog (in Portuguese) which in turn learned about it from the Tech by Colin blog (in English). I’ll mirror the instructions here just in case:

1 – Download the Belchfire to patch to make Windows accept new themes (hurray for MS crippleware) from here.

2 – Download a Visual Style (Colin recomends these):
* Clearlooks
* Human
* Plastik
I went with clearlooks (same one I usually use in Linux).

3 – Icons. Get the Tango Patcher. Previews here.
I went with Tangerine (though I usually use the OSX icons in Linux – they are just sooo purrty).

4 – Tango for Firefox and Tango/Tangerine for uTorrent. You may be able to find (some of) these themes for other applications too.

And that’s all folks.

Internet Explorer 7 & CCleaner

I’ve been a firefox user since 0.5 or 0.6 something like that. Before I was a mozilla user and for a while before that I even used Netscape. It’s safe to say that i’ve never been much of a fan of IE. I’ve used IE (even on linux over wine) too browse some IE-only webapages on a few occassions but most of the time I use it to access one specific webpage: it’s a local webpage that acts as a sort of “customization” of a remote website. It uses a bunch of ActiveX controls, javascript and stuff. It is a IE-only webpage. I decided to try out the new IE7 beta2, obviously I didnt make it my default browser and when I tried to open the local webpage with it, it opened it in firefox. Talk about being useful… IF I WANTED TO OPEN IT IN FF I WOULD’VE DONE IT WITHOUT IE! Damn stupid browser… sigh. Only 10 seconds into the new version of IE and I’m already trying to uninstall it – that’s a record. And yes, I said “trying”. Why? You would’ve thought that a company that incorporated an “Add and Remove Programs” app to their Operating System would’ve used it, especially with beta software… sigh. So I had a non-useful browser installed that I couldn’t install its slightly more useful previous version until it was removed – I knew that without even trying it, it’s the “Microsoft Way” not allow you to replace programs with their previous version. That’s when the hero of this story stepped in, CCleaner:

CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system – allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. But the best part is that it’s fast (normally taking less that a second to run) and contains NO Spyware or Adware!

It can also uninstall programs, in this case it uninstalled IE7 and I’m back with IE6. And that’s how CCleaner saved the day. Thank you CCleaner

UPDATE:

OK SORRY! I was a bit pissed off when i wrote this post and a few people (namely Pedro Fernandes and Relax) already pointed out to me that you can remove IE7 as an update via the “add an remove programs” app.

The US-CERT Bulletin Debacle

It has been all over the news for the past couple of weeks or so. The US-CERT released its Cyber Security Bulletin 2005 Summary and while I’m not one to doubt human incompetence the fact that this report was put together by someone who supposedly understands the concept of “operating system” makes me think it might’ve been more than just incompetence. At issue is the fact that the bulletin for some reason decided to divide the vulnerabilities by what operating systems they affected, to quote the report: “Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported“. So far so good. Unfortunatelly whoever put it together, apparently, doesn’t understand what an “operating system” is. So according to that Cyber Security Bulletin only two operating systems exist: Windows and Unix/Linux. And so under that classification, the US-CERT bulletin states:

“There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities”

We all know how competent and umm… competent the press is. There is no point in blaming this on the “Microsoft Press Machine” though I’m sure they were happy to give a hand to the more useless members of the press, the fact is they didn’t have to. Out of the majority of the reporters out there, the few that actually understand anything about what they are reporting on are usually incapable of doing anything more than just copying a press release into a text processing program and changing the words a bit as well as occasionally asking for quotes from “experts” – people usually attached to a big company that has something to lose by telling the whole truth. And I’m not even going to mention their need for sensationalist headlines… oh wait I just did. All this said, it was obvious to everyone with half a brain that the words in the US-CERT bulletin were going to be interpreted/transcribed by the press as “Windows is more secure than Unix/Linux” or even more appallingly as “Windows 3X safer than Linux“.
I don’t know what makes me more sad: the fact that the tech press still doesn’t know that security of an operating system cannot be effectively measured by number of vulnerabilities alone, the fact that they don’t know that “Unix/Linux” actually consists of a large number of different operating systems OR that the US-CERT doesn’t know it – or at least decided to pretend it didn’t know, in which case the question becomes “Is it worse to be incompetent or corrupt?”
And now, for the facts. First of, like I said before, “Unix/Linux” isn’t an operating system but rather a large number of very different operating systems like for example IBM’s AIX, Apple’s Mac OS X, RedHat Linux and NetBSD. As if this mistake wasn’t big enough, somehow, the US-CERT decided that a vulnerability in firefox was a “Unix/Linux”-specific problem even though the majority of firefox users are probably runing it in Windows. You can argue that most open-source OSes include firefox as the default browser and this a firefox vulnerability is more or less analog to a IE vulnerability in Windows (even though IE’s integration into Windows is much greater than FF’s in any Linux distro) but the bulletin in question makes no distinction between software integrated into the OS and third party software.
When the vulnerabilities are properly broken down by OS, the picture we get is quite different:

All of Microsoft’s discovered security exploits for Windows only amount to a pretty reasonable 44. Microsoft products in total (including MS Office, Internet Explorer, ASP.NET and the like) comes to 122.
(…)
Individual Unix distributions faired very well: Apple Mac OS X clocked in at 21 vulnerabilities, tied with IBM’s AIX. HP-UX had only 15 vulnerabilities. SCO had only nine.
For the top Linux distributions, things look peachy. Red Hat had seven vulnerabilities; Suse 12; Debian 10; and Gentoo a mere five.
Non-Linux open souce distribution FreeBSD clocked in with 13, while ultra-secure NetBSD maintained its reputation with two vulnerabilities reported.

And like NewsForge pointed out, US-CERT’s own Technical Cyber Security Alerts shows a different picture:

* 22 Technical Cyber Security Alerts were issued in 2005
* 11 of those alerts were for Windows platforms
* 3 were for Oracle products
* 2 were for Cisco products
* 1 was for Mac OS X
* None were for Linux

And more:

US-CERT’s list of current vulnerabilities contains a total of 11 vulnerabilities, six of which mention Windows by name, and none of which mentions Linux.

And like RedHat said comparing Linux with Windows: “fewer vulnerabilities were critical and patches were brought out more quickly.“.
And to make matters worse, all this talk about windows being more secure than the so called “Unix/Linux” operating system, the whole WMF drama is unfolding: first an Exploit Released for Unpatched Windows Flaw, then a New IM Worm Exploiting WMF Vulnerability, followed by Microsoft to Patch WMF Exploit Early and what is a drama without a hero? More dramatic. In typical MS fashion, the final exclamation point: Two New WMF Bugs Found. For 7 days a fairly serious vulnerability remained unpatched by Microsoft… what more can I say?
As a result the computer security community will be drinking its milk from a carton with the word “MISSING” in the back, right above a picture of US-CERTs credibility. Will it ever be found?

Netscape

I installed Netscape Browser 8.0 and was positively suprised by it. It’s basically Firefox with some additional (mostly useless) features like weather&news. But the real nice feature is being able to switch between the firefox rendering engine and internet explorer’s rendering engine. All the additional features make netscape a bit more complicated to configure. Netscape has become my 2nd browser of choice, after firefox, effectively replacing mozilla. Mainly because I have certain scripts that only run in IE. Try it out if you haven’t. It’s certainly worth it if you have the free time.

Tor

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

I’m trying out tor. So far my only problem with it is the relative slowness of the network I’ve experienced (around 5 secs to open a webpage that would otherwise be instantaneous). I tried it with Mozilla and Xchat and it seems to work as advertised. To those that are considering using it I recommend setting it with an alternative client software. For example, I’m a firefox user but while using tor I use Mozilla. I could’ve used firefox with the switchproxy extension but I don’t need privacy for most of what I do on the internet (who cares if I visit slashdot 10 times a day?) and the speed penalty of using tor makes it impratical for common browsing. Since I’m rarelly visiting only one page at the same time (call it multitasking or lack of concentration) – I usually have around ten tabs open – using tor with firefox becomes sort of anoying. I configured mozilla to always use tor and whenever I need privacy browsing the web I use mozilla. Same thing for IRC. mIRC uses normal net, Xchat uses tor.
I’ll try it out further and make a new post sometime later.

Additional Resources:
Launching Attacks via Tor
Tor: The Ying or the Yang?

How To Keep Your Computer Spyware Free – Basic Windows Security

- If you install Microsoft Windows yourself, make sure you are behind some sort of firewall (a simple router like the linksys BEFSR41 will do). If connected to the internet directly a vulnerable Windows PC will become infected within minutes (I’ve seen it happen within seconds). Even after your computer is installed and patched it should remain behind a firewall (preferably both a hardware firewall – any modern broadband router will do – and a software firewall. I’v used the Kerio Personal Firewall but I’ve heard people saying good things about the Tiny Firewall, both have free versions).
- Update Windows using “Windows Update”. Set automatic updates: Start -> My Computer -> Control Panel -> System -> Automatic Updates.
- Install AntiVirus Software. Norton Antivirus, Trend Micro, AntiVir, Bitdefender (version 8 is free), or any other you like. It is very important to have antivirus software. Make sure the antivirus auto-protect function is activated. Run it once at least once a month.
- Keep your antivirus software updated.
- Download and install Mozilla Firefox. Use it instead of Internet Explorer. Do not use Internet Explorer!
- Keep firefox updated. Firefox will notify you when updates are available with an arrow in the upper right corner, click it to download and install the updates.
- Download and install Spybot S&D. Run it. Go to Update, search for updates and download any available updates. Then click Search and Destroy -> check for problems. After it is finished go to “Immunize” and click “Immunize”. Repeat this process at least once a month and whenever you suspect you have spyware or adware installed. If Spybot seems unable to remove a adware/spyware program, reboot and enter windows in safe mode and run Spybot S&D. If this doesn’t work:
- Install additional anti-spyware software. Unfortunatelly, not all anti-spyware products detect & fix the same problems so it might be a good idea to have more than just one anti-spyware program. I recommend you use Spybot and if you experience spy/adware problems that aren’t going away, if you suspect you have spy/adware that isn’t being detect or if you are simply paranoid install Webroot Spy Sweeper.