A lot of you gamers out there have posted in the forum or sent me emails about d3dx9_30.dll errors. Most of the time, the error shows up as either "The...

Internet Explorer 8 and Acid2: A Milestone

As a team, we’ve spent the last year heads down working hard on IE8. Last week, we achieved an important milestone that should interest web developers. IE8 now renders the “Acid2 Face” correctly in IE8 standards mode.

Acid2 Face

If you’re not a web developer, the details of this blog post probably aren’t all that interesting for you. I’d like you to know that we’re building IE8 for many different customers (consumers, web service providers, independent software vendors, enterprises, web developers, and others), and we’ll cover more details of the non-developer oriented work (e.g. user experience, reliability, security, etc.) in other posts in the future, after MIX. While web developers will immediately recognize what Acid2 means, I want to step back and offer some context for other readers of this blog who may not be familiar with web standards. Briefly: Acid2 is one test of how modern browsers work with some specific features across several different web standards.

At first glance, this test seems simple. I think it actually offers a view into the subtle and complex world of web standards in a number of ways. Showing the Acid2 page correctly is a good indication of being standards compliant, but Acid2 itself isn’t a web standard or a web standards compliance test. The publisher of the test, the Web Standards Project, is an advocacy group, not a web standards defining body.

When we look at the long lists of standards (even from just one standards body, like the W3C), which standards are the most important for us to support? The web has many kinds of standards – true industry standards, like those from the W3C, de facto standards, unilateral standards, open standards, and more. Some standards like RSS or OpenSearch lack a formal standards body y ..

Each year, The SANS Institute releases a short list of the top threats within the IT market. Those of us in the industry know that these lists are pretty darn actuate and worthy of study. While we should always be on top of our security game, these items are some of the anticipated hot beds of attack. 2008 SANS's Threat Report 1. Browser Vulnerabilities 2. Botnets 3. Cyberespionage 4. Mobile Phone Attacks 5. Insider Attacks 6. Identity Theft from Persistent Bots 7. Malicious Spyware 8. Social Engineering 10. Infected Consumer Devices

More and more of us are leading increasingly virtual lives. It seems as though the Internet accounts more of our activities every day. We bank online. Some of us shop for food. We buy clothing and other retail goods. We use email and instant messaging constantly, and stay in touch with family and friends via online photo albums. I’ll admit I spend far too many hours per day online (which has an effect on my waistline, but that’s a different story).

So, what if the Internet died tomorrow? That’s the question an article at Network World asked, and it’s a good one. No mor email (or, happily, spam). No instant messaging. Businesses that have transitioned to a Web-enabled model would need to revive old analog methods. Facebook, LinkedIn, YouTube, and other Internet-only companies would vanish altogether. Do you use VoIP? If so, your phone would stop working too. Your mobile network would be gone as well, since it’s all digital and every phone today has its own IP address.

Internal corporate networks might survive, but they’d be crippled since no external communications would be possible. Companies that currently use IP tunneling or virtual circuits to connect offices to one another would be crippled. Governments would be in serious trouble as well, since more and more services have migrated to an online model over the last decade.

Happily, the chance this will happen is relatively small. One thing that might do it is a major natural disaster that killed a massive portion of the power and telecommunications grid, but it’d need to be a massive event to affect the whole network. The current Internet is designed with massive redundancy and extreme fail-over capabilities. The “Internet Core” consists of multiple mirrored systems in multiple locations. It’s designed to survive attacks by hackers as well (someone tried a few years back and there was no discernible effect).

Loss of the Internet wouldn’t directly kill anyone, but it’d change daily life on a massive scale. Do you remember how you lived before the Digital Revolution? And would you want to go back?

We’re getting closer to the much anticipated release of Vista SP1. As I noted a few weeks ago, Microsoft released the Beta code to anyone who wanted to try it out in advance (and probably figured they’d get some free software QA from the deal as well). The good news is that early reports indicate it’s better than the initial release. The bad news is that it may not be good enough to overcome pervasive objections to the product’s features and performance.

The biggest complaint I’ve heard so far is about the UAC, or User Account Control feature. This is brand new in Vista, and it’s designed to provide better security by limiting user-level privileges. The idea is to prevent installation of unwanted software (read: malware) by forcing users to approve such installations in advance. Too many users either log into the Administrator account or give their personal account full administrative privileges. This means the user has full control over the system, and software will be installed automatically. This is great until you hit a URL that silently downloads and installs malware on your machine, or click on a piece of spyware masquerading as a legitimate application.

The UAC is supposed to fix this by asking the user for explicit permission to install new software. It’s also supposed to ask for confirmation before performing other potentially hazardous actions. The problem is that it’s too pervasive and annoying. One reviewer noted “Just try to add, remove, or rename any of your Start menu folders, or to set your system clock. Any such attempt involving various common, everyday, and relatively safe tasks will cause your screen to go dark, after which a scary confirmation prompt pops up, requiring an extra click.”

The usual reaction to this level of annoyance is to shut off the UAC altogether. That’s a bad idea because it’s really there to save you from yourself, and from malware vendors. The same article provides a better solution, which is to turn off only parts of the UAC’s notification system. SP1 apparently hasn’t changed the existing behavior. As a result, many users will probably just turn it off. Hopefully it’ll be improved in a subsequent release.

Otherwise SP1 seems to address a number of serious problems with Vusta’s base release. File copying times allegedly have been improved, as have system boot time and other performance-related issues. Network browsing issues have been addressed, and early support for some emerging technologies (EFI and ExFat) is included.

Will SP1 save Vista? The jury’s still out, and the code still isn’t released.

Some of the most frustrating error messages you'll ever see are those involving DLL files. Windows uses these small, very important files for everything from booting to memory management and...

Managing backups and properly archiving data is becoming increasingly difficult. Data density on laptops and desktop machines continues to rise due to the arrival of new disk technologies. Who would have thought we’d ever see 1TB on our home PCs, or something approaching that on laptops?

Now things may be getting easier, at least for corporate users. EMC is starting a new SaaS (Software as a Service) offering that allows users to back up their laptops to secured locations within EMC’s own network. The service, called MozyEnterprise, provides online storage space that allows users to transfer some or all their files to the remote storage site.

According to a press release, “EMC announced EMC Fortress, described as a secure development platform, and its first application, an online backup service called MozyEnterprise. The release follows EMC’s acquisition of Berkeley Data Systems last October.” It’s all about the security. Backing up data to remote sites is old hat. Backing it up via a secured channel, in a way that makes it difficult (nothing is impossible) to hack into, is the real trick.

While some other companies have experimented with such a service, concerns about security lingered. Many companies aren’t willing to allow their data to be stored on sites that aren’t directly controlled by their own corporate IT managers. This is understandable since outside vendors may not offer a level of security that’s appropriate for a given application. Is the outside firm trustworthy enough to handle, for example, masive amounts of legal or medical information?

There’s also the problem that an outside storage site will surely become a magnet for hackers. It’s sure to be a rich hunting environment for data thieves, and the first person who breaks into such a resource might gain access to unprecdented amounts of private information. It’s a corporate saboteur’s dream.

This new technology might just fly. It’s certainly hitting the market at the right time, and if done right may prove to be the better mousetrap. If it’s subject to any high profile successful break-in efforts, it’ll be consigned to the dustbin of tech history.

Lock down your networks. The SANS Institute has rated cyber espionage as public enemy #3 on the “cyber menace scale,” a situation that’s not likely to change except for the worst. We’re not talking about simple malware infestation or botnet attacks, though they’re a continual problem as well. Instead, more attacks are being reported on specific networks in order to steal targeted information.

The problem will continue to grow, and there’s good reason. More and more businesses and government agencies are placing increasing amounts of data online. They’re doing business via the Internet. They maintain vast archives on allegedly protected Intranet systems behind supposedly robust firewalls. But I recall a comment made by a hacker some years ago that “firewalls are hard on the outside, but soft and chewy inside.” They’re not a guaranteed data protection method, and additional IDS (Intrusion Detection System) safeguards are needed to check up on the firewall’s effectiveness.

According to SANS, “economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals. The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source.”

Industrial and government espionage is nothing new. Workers are regularly subjected to social engineering attacks that involve no high tech equipment whatsoever. A classic method involves someone in a bar buying drinks for a competitor’s employees so they’ll start talking freely, while another involves slipping an outsider into a meeting to listen in on negotiations or trade talks. You’d be amazed how successful either of these tricks can be.

Now, just imagine someone sending email from a bogus address to your employees, citing details about an upcoming contract and asking for additional information. They can claim they’ve lost a critical memo or are being pressured by their own boss to finish quickly. How many of your people will bother to check the reply-to address before responding?

Dealing with cyber espionage requires awareness, training, and an appropriate level of skepticism. Do your employees have the tools to deal with it?

For years, home Internet users have been accustomed to fixed price service plans that permit unlimited data transfers. While phone-based services often charged on an hourly basis, the amount of data transferred was never a factor. This may be changing for the worse, since Time-Warner apparently is experimenting with “tiered” services that bill customers based on the amount of data downloaded in a given month.

Some providers are rumored to have been considering such a pricing mode, but in general it makes little sense since the price of overall connectivity has been dropping steadily. Every major provider has switched to fiber based networks and generally has bandwidth to spare. The only reason to introduce a data-driven pricing model is to punish users who make heavy use of their connection on a regular basis.

In fact a Time-Warner spokesman said as much, stating that “the trial was aimed at improving the network performance by making it more costly for heavy users of large downloads. Dudley said that a small group of super-heavy users of downloads, around 5 percent of the customer base, can account for up to 50 percent of network capacity.”

This may be very bad news for anyone who uses YouTube, Second Life, Flickr, and any other network-intensive online resource. Time-Warner’s statement doesn’t say much about what usage level could be considered “super-heavy,” except to note that “the heavy users were likely using the network to download large amounts of video, most likely in high definition.” If adopted nationally, this plan opens the door for providers to implement rate hikes whenever it seems profitable to do so, and to dub any application a “super-heavy” offender.

I suspect this plan will evoke an extremely negative reaction, not only from users but also from content providers whose business models will be threatened by the new plan. Video producers like movie companies have long term plans to provide increasing amounts of high quality, high definition video content via the Internet. These plans may suffer a setback if users are threatened with punitive rate hikes for making use of such services. This won’t go over well with anyone.

Time-Warner users should protest this action, as should anyone else whose provider starts “experimenting” with activity based pricing schemes.

The SCO wars took an interesting turn recently, when Novell (which was recently determined to hold actual ownership of the UNIX code) decided to sue SCO over potential royalties. The rationale is that since Novell actually owns the patents, any money collected by SCO is actually Novell’s.

The future is not looking good for SCO. At last report they were declaring minimal income on licensing deals, had nearly zero available cash, and no new products. They haven’t been profitable for years. Their long-running lawsuit against IBM over allegations of Linux code including source taken from UNIX is producing no result and is unlikely to succeed. Worst of all (from their viewpoint) last year it was determined that they didn’t even own the copyrights they’d been suing everyone over. Thus was born Novell’s lawsuit over royalties. SCO declared bankruptcy in September and is now under Chapter 11 protection.

All this is sad, since the company obviously chose the wrong path in their quest for profits. As Jim Zemlin of the Linux Foundation commented to Network World in September, “SCO could have chosen a chose a path similar to Red Hat to offer open source solutions and value-added services around that,” said Zemlin. “Instead, SCO chose a path of litigation and the result has been the filing of Chapter 11 bankruptcy.”

However it’s all good news for the Open Source movement and Linux itself.  The dark and ominous cloud under which the OS had been operating now seems to be dissipating.  No one is afraid to buy licenses. The lawsuit against IBM is sure to end soon.  SCO has totally failed to demonstrate any of its claims in court.  The sun is out again, and the future is bright.

For some reason I’m reminded of the Lord of the Rings books and the Enemy’s attack on Gondor. The dark cloud over the city broke too soon. The attack was based on incorrect information and ultimately failed. I’m sure SCO’s Darl McBride would hate to be cast in the role of Sauron, but the Elves of Linux would probably nominate him for the part in a heartbeat.