Annals of Insecurity: Please, don’t buy a Mac

Up to 88% of Fortune 500 companies may have been affected by the Zeus trojan, according to research by RSA’s Fraud Action Anti-Trojan division, part of EMC. The trojan installs keystroke loggers to steal login credentials to banking, social networking, and e-mail accounts.

The botnet was first identified in 2007 and is still around today. The malware tends to be difficult to detect and remove, and several million machines worldwide are believed to be infected.

And also:

The malware itself predominantly attacks Windows XP machines, though Windows Vista and Windows 7 variants are available for sale too.

And later:

Smaller companies (those with fewer than 75,000 employees) appeared to have a higher proportion of infected employees, suggesting that perhaps larger corporations are more effective at securing their systems and data. Home computers not subject to corporate IT policy but used to access corporate mail and networks are a particularly high risk.

From Ars Technica,  Almost all Fortune 500 companies show Zeus botnet activity

So, despite all the anti-malware software typical IT departments (and PC vendors) inflict on users and all the restrictions those users have to put up with (a typical user in a typical large corporation can’t install software for themselves, for example), we get this result. (I wonder if there’s a keylogger on my PC at work…

BTW Zeus is freaking scary. Of course, Microsoft is there to help:

About a year ago the state of the art in malware advanced to the point where Windows indexing or Outlook preview would automatically open PDF attachments and allow infection without any explicit user action at all.

From a comment on, Zeus Attack Spoofs NSA, Targets .gov and .mil

And, from the same series (of very intelligent comments) there’s this reminder that root access isn’t important:

Keep in mind that this is the same trojan which will, according to BK in a previous Security Fix column, happily run under LUAs. That would, in turn, defeat the previous advice to use a LUA for day-to-day use.

Users live in user accounts. User data lives in user accounts. Everything valuable is in user accounts. Root access is for compromising systems — when the system essentially has one user it’s no comfort to know that “well, they may have stolen my identity but my PC still boots”.

Now, it’s worth noting that the Zeus botnet is based on trojans (which should, of course, be called Greeks) — there’s pretty much nothing one can do about trojans short of never downloading or installing anything on your computer. Perhaps Charlie Miller and other security researchers should be called Cassandras.

(Meanwhile, the first reports of Apple’s latest patch I saw were along the lines of “Apple forced to release patch just two weeks after last one”. Either Apple is too slow to patch, or it’s forced to hurry I suppose. At least PCWorld has stopped being weirdly hostile again and pointed out that Microsoft is yet to patch the IE8 vulnerability revealed at Pwn2Own.)

I’m pretty sure I’ve linked this site before, but it remains simply staggering how much malware activity there is on the Windows side of things. If Apple’s lack of market share is preventing this from leaking over onto my favorite platform, I have just one thing to say: please do not buy a Mac. Thank you.

Adventures with <canvas>

Acumen's Asset Viewer

Acumen is at 1.0 beta, and we finally settled on a hybrid image viewer. Google’s excanvas.js is used to fake a canvas in IE (getting it to work in IE8 was the trickiest part) but because excanvas.js runs pretty slowly and doesn’t support text (there are third-party text implementations of text in excanvas, but they’re also slow and don’t use standard fonts) I ended up using canvas just to render images. All main UI elements are implemented in HTML/CSS using jQuery.

Based on my googling, successfully creating a canvas that transparently works in either decent browsers or IE is not common knowledge, so I thought I’d share the method I came up with. I originally wrote this code for the pure canvas asset viewer (which forced IE users to install Chrome Frame); when I decided to reuse the code, I tried to simplify it, and everything I did to make it simpler broke it. I guess the me who wrote the original code wasn’t as big an idiot as the me who borrowed it thinks he was.

var c; // will contain a working canvas when we're done
var d = $('#div_that_will_contain_canvas');
var ie_version = some_expression_that_is_truthy_for_ie();
if( ie_version ){
	c = document.createElement('canvas'); = viewer_id; = d.width() + 'px'; = d.height() + 'px';
	d.append( c );
	G_vmlCanvasManager.initElement( c );
} else {
	d.html('<canvas id="' + viewer_id + '" width="' + d.width() + '" height="' + d.height() + '"/>');
	c = document.getElementById( viewer_id );

The main takeaway is that creating the canvas using a blob of html does not work for IE (because it doesn’t recognize the canvas element, and thus ignores its attributes) and using the standard DOM methods does not work for proper canvas elements (because using styles to resize a real canvas stretches the canvas).

If you have a cleaner way of achieving the same result please let me know—I’m not proud of this code, it just happens to work.

A Ribbon Runs Through It

Apparently Microsoft has been working on a game to help people learn how to use Office’s Ribbon. Ah yes, UI innovation that’s so powerful that — years after release — it’s now getting turned into a game to help people learn how to use it.

Meanwhile Scott Fulton points out the the Ribbon in the upcoming Mac version of Office is — for Mac users — a non-solution to a non-problem. It seems to me that it’s a non-solution to a non-problem in Windows as well.

My main experience with the “ribbon” thus far is using Outlook and I can’t think of a single thing I like about it. It’s modal, it makes some easy things difficult and some difficult things impossible, and it wastes vertical screen real estate. On the Mac it will have the added virtue of wasting even more vertical screen real estate (because the Mac version won’t replace the menubar).

I think the main problem with the ribbon is that it was intended to replace both menus and toolbars. But toolbars have the virtue of being customizable (so if you know you’re using certain commands a lot you can make them available all the time) while menus have the virtue of being non-modal (i.e. you don’t need to click through each “tab” to find out what’s available).

The big problem with the ribbon, at least in Word and Outlook, is that Microsoft never figured out that the basic problem with their word-processing UI is they bury the useful formatting commands (assigning styles) in the “power user” area and make the stupid formatting commands (e.g. the bold button) available in the most convenient area. If they could simply have moved the style-based formatting commands front and foremost then they could have stuck with toolbars OR made ribbons less annoying.

But at least we’ll be compatible with VBA viruses again.

Windows: a nice place to visit, but I wouldn’t want to live there

Note: The article refers to a video I found on YouTube that used to be here, but which disappeared. I have no recollection of this video, which I would love to replace, since this article remains topical today. I’ve tried Googling the unique id (which was 3F-ACkXn5tU), but all I find is pages with links to Mac vs. PC ads, and this was an ad from the 1930s.

It boggles my mind that Microsoft didn’t engineer a smoother upgrade path to Windows 7 for XP users. There’s two possibilities: they wanted to but couldn’t manage it (i.e. incompetence, lousy architecture), or they didn’t even think of trying (utter stupidity). Consider this: when you repartition your hard disk using Boot Camp to install and run Windows on an Intel Mac you go through less pain than someone upgrading from XP to Windows 7.

It also boggles my mind that they’re charging full price for upgrades from Vista. OK, calling Windows 7 “Vista SP3” wouldn’t have shaken off the bad Vista mojo, but don’t burn your most loyal customers. (It’s also amazing to me that the only “smooth” upgrade path for Vista owners is to either one specific version of Windows 7 or the ridiculously priced “Ultimate” — and that PC reviewers don’t have a problem with this.)

Apple aims ads squarely at Microsoft’s Aero Jaw

It’s nice to see Apple nail the Windows 7 upgrade situation so nicely in a 30s ad. The funny thing is, I didn’t really see this as material for an ad campaign because — like most Mac users* — I live in an almost alien world where even a “clean install” doesn’t mean backing up your entire hard disk and reinstalling all your applications. The kind of stupidly painful crap a Windows user lives with is incomprehensible to me — and the lack of such painful crap seems like some kind of impossible utopia.

* I use both Macs and PCs, but I don’t keep anything I care about on PCs any more. So while I am a “PC user” in a technical sense, I’m just a tourist. I don’t have to live with that shit.

Microsoft's "retail experience" -- I can't make this stuff up
Microsoft’s “retail experience” — I can’t make this stuff up

It’s not which OS crashes more — Mac OS 9 was less stable than Windows 2000. It’s not which OS looks better — Mac OS 7.5 looked way worse than Windows 95. It’s which OS works better or worse by design. Number of times a typical Mac user has had to “back up all their stuff” before installing a new Mac OS: 0. Amount of time spent reinstalling apps after upgrading to Tiger, Leopard, and Snow Leopard: 0. It’s like the answer to Al Franken’s question, “how many medical bankruptcies were there in Switzerland last year?” Yes, Windows truly is the US Healthcare System of Operating Systems.

Apple’s other on-target ad (the third new ad, featuring a “faux news report”, seems crude, heavy-handed, and — worst of all — not funny to me) simply derides Microsoft for always promising and failing to deliver an experience that sucks less than the last thing it sold you… it won’t be like Windows Vista… XP… ME… 98… 95… 2. (Why did they skip Windows 3? I know why they skipped Windows 2000 — most of us remember it quite fondly.) Microsoft’s history of screwing up flagship software is pretty astonishing. Younger readers will not know that until DOS5 came out no version of DOS RESTORE could cope with BACKUP files from the previous version of DOS.

What the Microsoft Store really needs… Macbooks running Windows 7

Some guy apparently enjoying Windows 7 on a G4 "TiBook". The sad thing this underlines is that six year old Mac laptops still look better than anything Windows ships on.
Some guy apparently enjoying Windows 7 on a G4 "TiBook". The sad thing this underlines is that six-to-eight year old Mac laptops still look better than anything Windows ships on. From
This embarrassment tops off a rather red-faced Windows 7 launch week for Microsoft. At the London launch – held at a club called Hospital… – the company demonstrators failed three times to get the touchscreen Windows 7 PC to connect to the Internet.
The first two times it didn’t work they blamed the PC for having a loose cable. The third time it happened – or rather didn’t happen – they just stopped trying.

This embarrassment tops off a rather red-faced Windows 7 launch week for Microsoft. At the London launch – held at a club called Hospital… – the company demonstrators failed three times to get the touchscreen Windows 7 PC to connect to the Internet.

The first two times it didn’t work they blamed the PC for having a loose cable. The third time it happened – or rather didn’t happen – they just stopped trying.

But still, you know, it’s better than Vista, right?