I’m on Fire! (kindle fire)

The adventure begins. This post is created partly using the kindle fire – the color ereader/tablet from Amazon. For blogging it is a noticeable improvement over a phone – but not really up to the task as much as I had hoped. However the auto-correct is not quite as obnoxious as the Apple version.

But it is only intended as a casual replacement for a fullblown computer, at least for me. I bought to a) read books; b) watch videos; c) read websites and d) listen to music.

So far it’s done quite well with the first three functions… read two books already, and am about 1/3 of the way through a movie. My spot-check of music playback shows the audio is fine; but I’ve only got a few songs in the Amazon cloud. So a task added to the list is to introduce kindle and one of the beasts and move some music into it.

The user interface at least for performing the basic tasks of read book /watch movie / listen to music is as intuitive as I’ve ever encountered; kudos to the designers at Amazon. Also good – you can change the background color for the reader; I’ve settled with black text on a yellowish page.

Something to consider for the book industry – a reasonably-priced relicensing method for books. I have a number of traditional bound books which also exist in kindle editions… I’m willing to pay a transfer fee to have them on kindle, but not the full-freight either-or pricing that exists today. I suspect the publisher who comes up with a method for this will quickly enjoy even higher revenues. Yoo-hoo! Baen? O’Reilly? (my picks for the two most capable of stepping up to the plate on this.)

Back to the movie. I’ve still got 31% battery power remaining. Let’s see how far it goes!

How I browse the web

Previously on this blog, I wrote about why I routinely block execution of JavaScript. I think it opened some eyes. In this post I’ll look at the precise software and settings I use for web browsing.

During a typical day, I use three browsers. Internet Exploder I use for the handful of sites which are crippled (apparently by intent) and with which I absolutely must interact. In practice this means those who’ve lost their minds deployed Microsoft Exchange. Google Chrome I use for Google Maps and some other sites… if they ever fix the sandbox I’d use it far more often.

Most browsing is done in Firefox. Today I’m running Firefox 10.0.2. I have several extensions installed – principally NoScript, AdBlock Plus, Fireshot, TinEye and HTML Validator. Only the first two are security-oriented.

NoScript is a JavaScript blocker. I use it in the most restrictive form; it only allows JavaScript to execute if I’ve approved it. Right now I’m allowing scripts from wordpress.com (hosting site), wp.com (hosting site), gravatar.com (icons and avatars); and I’m forbidding quantserve.com (advertising metrics). noscript example

My “whitelist” runs to about 1100 entries; these are all JavaScript sources I’ve come to trust. Everyone else is in the temporary list.

Yes, it’s annoying to have to whitelist everything. There are a few sites where I can’t come up with a good mix, and thus for vimeo and wimp (video sites) I go use Chrome. This is certainly not for everyone… but doing things this way allows me a great peace of mind in clicking and exploring.

AdBlock Plus is, as the name implies, an advertising blocker. I run it in full-blocking mode – by default it operates in “nice” mode (or something like that) to allow “some” ads.

Dear website operators – I will pay subscription fees. I will not sit through interminable ads – nor do I enjoy having ads which carry along malware infections as part of the “animation” scripting. It’s always a shock to see just how many ads play on some sites… and the lack of care with which so many companies use ads (aside – if you’re a car repair emporium is it really wise to run advertising for brands of tires you don’t sell – and ads which go to your competitor when clicked?).

The other tools mentioned above… Fireshot is used for screen grabs; HTML Validator looks for problems in HTML (useful when testing the website you just created); TinEye searches for the source of photos.

Here are some more hints for safe browsing:

1) I don’t do games. I block every new Facebook game which comes along; the only online game I’ve played in many a year was Angry Birds for about 5 minutes via Chrome. That was enough.

2) I don’t download new software to be able to see the wonderful video-of-the-day. If it won’t play on Firefox I evaluate the source; and perhaps play it in Chrome. But first I check NoScript to see where the playback scripts come from.

3) If I’ve never heard of the site before, I open a window for Google search and enter the name of the site and see if Google thinks it’s ok. The StopBadware gang is quite adept at turning over rocks.

Why I block Javascript.

This subject surfaces from time to time, especially when I’m conversing with the bleeding-edge web design community. “You do WHAT?” followed by a lot of strange looks and laughter is the typical reaction. Then I’m told all about how JavaScript has been “modernized” and “browsers are sandboxed” and other nice things.

I run a variety of browsers; the current desktop has Firefox (with NoScript); Chrome; IE 4; IE 6; IE 8; and Lynx. Most of the time I browse with Firefox/NoScript. Yep, it slows me down, and there’s the minor annoyance of having to set temporary JavaScript execution privileges. This post will attempt to explain why I do things the way I do. Standard disclaimers apply.

First two-word explanation: Zeus Trojan.

The Zeus Trojan is a password-stealer which is usually deployed via JavaScript malware which was introduced to the victim by way of an infected website. As JavaScript has “matured” it also allows for much-improved obfuscation and cross-linking and all sorts of nice ways to operate an attack vector dynamically (to the point where most Zeus variants check location data and refuse to infect systems in certain countries).

For US-based small business (and local government) there is no protective cap on money stolen via identity fraud – and this is the standard use of Zeus. Once the credentials are acquired the thieves can empty a bank account in a matter of hours – and there is no legal recourse against the bank. The money is gone; the victim is not going to get it back.

A part of my professional practice deals with security – no, I’m not going to enter a forum with all the scripts executing. I only look foolish.

…and as I’m writing this post, in over the transom flies this notice – Google has awarded $60,000 as a prize in the Pwnium competition, for a method to overcome Chrome’s “sandbox” feature and run code on a fully-patched Window 7 system. All that is necessary is for someone to browse to an infected website – viewing the page is sufficient to load and execute the payload. A little bit of JavaScript acts as an enabler – there’s no need to bother with an exploit attempt if the browser is something else.

Another reason not to automatically run JavaScript is a common Facebook malware attack – the click-jacking survey scams which pop up several times a day. Click-jacking is a specialized attack vector on Facebook which work by having the victim click on a link – which leads to a survey – and also “spams” the link as a status post from the victim. If you run with JavaScript enabled you’re usually taken straight over to the payload page – which is typically a survey… but it might be something worse.

By not running JavaScript I get stuck on the interstitial dispatch page; this is where the Facebook click-jack link leads; and this page contains various JavaScript functions to identify the victim. Typical contents of these pages include a bit of geolocation which is used to decide which survey to play. From time to time, I see ones where the dispatch code includes a mechanism to reject the entry if location appears to be in .ru, .ua, .by or .ge  Рauthorities in these countries only track cybercrime if local users are affected. Generally speaking, if the interstitial page contains the ru-ua-by-ge code, the payload page is loading something other than a simple survey.

But security isn’t the only reason to avoid JavaScript.

Second two-word answer: Existing Investment.

This probably comes as a shock to many web designers – but companies don’t rush right out and buy the latest technology just because it got a great writeup on reddit or slashdot or wherever, or even if it’s the best seller on Amazon or the Apple store. There are a lot of systems out there with no capacity to execute JavaScript (embedded devices) or where internal policies discourage its use. I’ve been writing web-apps for more than a decade which require no JavaScript or even cookies on the browser in order to maintain state… and I know that some of these clients are not going to change those devices or policies for at least several years. Have you discarded your car simply because its OBDC works at a glacial 1200 bits/sec on a serial port?

Not executing JavaScript allows me to see how these clients perceive the “outside world” and thus better understand their mindset. It is very interesting to see which major companies’ websites are still functional without JavaScript (although not all the bells and whistles may work).