So a new Zune update has just come down, it adds welcome support for Windows 7 libraries.
Awesome. Now it behaves like it should, like Windows Media Player and Windows Media Center. You should have a single library for music that can span multiple locations and computers. No longer will the Zune want to put its music in Music\Zune, but rather it'll use the default folder that the Music Library specifies, and best of all no matter what application I use, Media Player or Zune I'll see the exact same content. Now if only more primative software like iTunes could work this out instead of maintaining its own library isolated from everything else.
Even more impressive especially for podcasters like myself is it creates a new Podcasting library.
Yes I subscribe to my own podcast, (well I have to make sure it works). Hopefully with this level of exposure it will bring millions more into podcasting.
Internet Explorer 8 is more secure, and why the Firefox fanboys and the media need a security lesson
So Internet Explorer has been the media's main victim this past week. With stories about how it is completely unsecure.
Of course having a vulnerability isn't a good thing, but why is this getting so much attention, especially considering it's not even being used to target individuals? Well I suppose the media have to knock Microsoft, it's about the only thing they can do when it comes to Microsoft so this will have to do.
Tech Radar recently interviewed Microsoft's head security guy in the UK Cliff Evans. And did a pretty bad job of it. So Evans was explaining how switching away from Internet Explorer 8 isn't a good idea - something I agree with.
"If you were to ask me 'what's the most secure browser?' I would say Internet Explorer 8 – we're talking about a single vulnerability," he added.
Ouch a single vulnerability that's bad right? Some guy called richmurrils seems to think so and comments:
That's the funniest thing I've read in ages.
Of course what he really demonstrates is how little richmurrils actually knows about technology or security, I expect he was one of the people telling people to turn UAC off /facepalm, and how Tech Radar can't report things in context. So I'll put things in context even if they can't be bothered to, Firefox 3.5 has had at least 35 documented security vulnerabilities. Linux based operating systems can have hundreds of vulnerabilities discovered each year, Windows historically has had the fewest usually at just a dozen or two every year discovered. A single vulnerability isn't anything unusual.
Of course nobody bothers reporting that this vulnerability can only be exploited on Internet Explorer 6, a 10 year old version and on Windows XP a 10 year old operating system. Do Mozilla even bother to support such old products? Of course not.
Alright sure the vulnerability still exists in later versions, but it cannot be exploited on newer systems because of the additional security measures Windows Vista and later provide. Namely Protected Mode made possible by UAC.
When using Firefox a hacker only has to exploit code in the browser to run code on the machine. Exploiting Internet Explorer not only requires them to find a vulnerability and exploit it but it also requires them to somehow break out of the Protected Mode sandbox. Charlie Miller a security researcher talks a bit about this back during the Pwn 2 Own contest:
Why Safari? Why didn't you go after IE or [Firefox]?
It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows (Vista and later -Paul).
It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn't have anti-exploit stuff built into it.
With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.
It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.
Of course 3rd parties could use Protected Mode on Windows Vista and later like IE7 and 8 do. But Mozilla, Opera and others simply don't bother. They let the process run with the same rights as the user which is fundamentally less secure then running the browser in its own little sandbox where it can't get out.
In reality vulnerabilities like these are rarely what normal people come up against on the internet. The main problem is phishing and malware. Both of which are socially engineered to get the computer user to either hand over their data willingly or willingly install an application that's malicious. So how does Internet Explorer compare? IE8 blocks 83% of phishing websites completely, compared to Firefox which blocks 80%. While Internet Explorer 8 blocked 81% of malware before it reached the machine. Firefox blocked less than 30%, and other browsers scored even worse (source).
So not only is it more difficult to exploit vulnerabilities on Internet Explorer 8 on Windows Vista and up. The malware and phishing filters are also better on IE8, something that will protect most computer users.
One last comment is on how well Google and the media have spun this around from a story about how Google got broken into and people's personal data was stolen into a story about how a 10 year old browser on a 10 year old system has a single vulnerability, without even asking why Google are running such dated systems or without bothering to report that newer versions of IE aren't as susceptible. Nice spin department working there.
Update: Mark informed me that Chrome also runs in a sandbox.
The BBC have a headline that reads "German government warns against using MS Explorer". Well that's no problem, as I've never even heard of an MS Explorer. Of course what they're really going on about is Internet Explorer, and how version 6 was used to compromise Google's systems.
find an alternative browser to Internet Explorer to protect security.
Who knows what "protect security" actually means. Perhaps they mean protect their systems, or improve their security. Seriously who wrote this article?
What they should really be having a go at is what sort of incompetent system administrators would be using a 10 year old browser on a 10 year old operating system. Ed Bott says such administrators should be guilty of malpractice. And I agree with him, what sort of people are running the IT departments of companies like Adobe and Google to allow such dated technology on the network.
Even three year old systems like Windows Vista and Internet Explorer 7 in the default configuration are immune to this sort of attack.
And it is just amazing that this has somehow been spun into an anti-Internet Explorer story when the real story is how can we trust Google with our data in the cloud when they're running such antiquated systems?
Until yesterday I had never bothered really checking out the Zune, the actual device wasn't available in the UK. The marketplace obviously wouldn't work in the UK, not that I'd probably buy anything from there I do prefer my CD-quality sound. But one thing about the Zune had always interested me, the social aspect of it, and the recent rumours of a Zune client being available for Windows Mobile has made it far more interesting, and removed a lot of the potential lock-in aspects, like only syncing protected tracks to Zune devices.
Since moving to Aldershot and having to spend more time travelling I find I actually listen to music and podcasts a fair bit more. You need something to do on these long boring treks back and forth from town right? Right so I've been listening to music but over the last couple of months my music collection, which has barely changed in 5 years is started to feel old.
So yesterday I decided to try and get the Zune software working, at least partially to try and get Zune Social working. I don't have many friends in the US (the Zune shares your Xbox Live friend list), just a few but two of them use the Zune and I can see what they're listening too and so on. After spending a while in the registry I managed to get the marketplace to display, I managed to login with my UK Windows Live ID and I thought I was all set. Wrong. Zune Social didn't seem to be working. So I am assuming they're either filtering any non-US/Canada IP addresses or they're picking up the locale your computer is set to and filtering that server side. I could of course set my computer to the United States (which I really, really wouldn't want to do), but then it won't sign in with my Live ID, I could of course create a new Live ID based in the US - but to be honest that's too much hassle.
The Zune software itself is fantastic, far far better than I imagined. It has loads of gorgeous fluid animations and it looks awesome. I can see why many people have argued it should come with Windows and replace Windows Media Player - but there are counter arguments lets be honest, Windows Media Player has a much lower memory footprint, much faster loading times and syncs with virtually any mobile device that isn't locked down, i.e. iPod and Zune.
What would I like to see?
Stop blocking international users from using Zune Social. OK you won't be making money off us but it will be building mindshare. People will visit my blog and the websites of thousands of other people and see Zune Social badges.
Ideally of course I'd like to see it supported in the UK. Not tied to the Zune hardware, but opened up at least to Windows Mobile. And I'd like to see the Zune Pass priced at £7.99 a month at the most, or better yet £4.99 which would be an insanely successful price point.
Gorgeous picture today from NASA's Terra satellite. Taken about 8 hours ago, it shows a snow covered Great Britain. For those not in the know, we've probably been hit with more snow than we've had in decades, this picture nicely captures it.
Now if only our country was more horizontal, at least then we could use it as a wallpaper.
Higher resolution (right down to 250 metres per pixel) versions are available from NASA.
Update: A few people have said NASA's website is being a bit slow for them, so I've uploaded the highest resolution version here.
Some guy going under the name Chas_chas_123 thinks Richard Dawkins isn't sure on his "faith".
Seemingly unaware that atheism is not based on faith. Everyone is born an atheist, and everyone is an atheist in respect to most of the gods that we've ever dreamt up. Faith is choosing to believe in something, like a supreme intergalactic dictator, without evidence. Atheism is simply the default position towards theistic superstition.
Arch-atheist Richard Dawkins recently supported a campaign saying "There's probably no God. So stop worrying and enjoy your life"
Doesn't seem that he's very sure of his faith?
Is it rational to bet your life on a 'probably'?
"There's probably no God" refers to an advertising campaign run on buses in the UK, which Richard Dawkins supported, but the original idea was that of Ariane Sherine.
As an atheist myself, I cannot say for certain that there is no [insert your favourite god here]. Just like I cannot say there are definitely no Leprechauns, Langoliers or that we definitely do not live in a computer simulation. However based upon what we know about the universe the god hypothesis is unlikely. The specific god of certain Bronze Age beliefs from one tiny planet from one tiny period in time is even more unlikely.
No rational person would say that there is 100% definitely not anything, because a rationalist is always open to the possibility that something could be proven to exist given sufficient evidence.
Here's what Richard Dawkins had to say about the word probably in the slogan:
I would like to add in addition to that, using the word probably helps atheists/rationalists/sceptics etc. differentiate themselves from absolutists like those of a religious background. You'll never see Christians use the slogan "There probably is a God, and there probably is a Hell for you to burn in eternity for, so you should probably go ahead and be a Christian".