Web Misc

We Live in a Communication Age

Suppose the year is 1990, and you have some big news to share with those close to you and the world in general. How can you do it? There are a few ways:

  • In person
  • Over the phone
  • In a mailed letter
  • Through a printed announcement (say, in a newspaper)

Fast forward to today, a mere 20 years later. How much has changed? In addition to the ways mentioned above, look at all the new tools we have:

  • Voice chat (Skype, Google Voice)
  • Video conference (Skype, iChat)
  • Instant message (from any number of clients)
  • Text message (or MMS)
  • Email
  • Facebook (status update, wall post, private message)
  • Twitter (tweet, @someone, DM)
  • Blog post

And this is just what I used on Monday; there are many others. We’re more connected than ever before. We can reach more people, faster, through whatever means is convenient for them, and the list of applicable technologies just keeps growing. It’s incredible!

A brief take-away

Monday reminded me how many tools there are for spreading messages that I don’t normally use, and made me realize that sometimes I have to look outside of my usual channels to reach people in a way that is most effective to them. I’m sure there are other things I will think of over the next little while that I can communicate more efficiently using tools other than my defaults; perhaps the same is true for you?

Web Security

Are Google Wave invites to blame for recent Hotmail/Gmail phishing attacks?

I have no idea how the recent Hotmail/Gmail account compromises actually took place. What follows is a simple hypothesis based on a somewhat embarrassing anecdote.

Like many of you, I am currently waiting for an invite to Google Wave. Imagine my joy when this came across my inbox one Tuesday morning:

Subject: Google Wave invite

Congratulations! You’ve been invited to Google Wave by your friend {a close friend of mine with a Wave account}. Click the link below to register:

Still half asleep (and now bursting with joy!) I open the link, suddenly thinking it’s strange that Google would use a url-shortener to send me a Wave invite. As you may have guessed, what was waiting for me was not a desirable HTML5 product but was in fact a YouTube video of Rick Astley performing Never Gonna Give you Up — yeah, I got rick-rolled a year after rick-rolling people was cool.

Now I’m fortunate that my dear friend (it was davefp) has a sense of humour – the truth is I technically just fell for a phishing scam, and I’m lucky there was no malicious intent involved. This got Dave and I talking; phony Wave invites would be a very opportunistic way to steal account credentials from eager Gmail users, and could be what caused the recent account compromises.

Let’s look at the reasons why I was inclined to trust the link in the email I received:

  1. I was expecting an invite
  2. It looked like an invite
  3. I was half asleep
  4. I was overjoyed

I was expecting an invite. There are thousands upon thousands of Gmail users anxiously awaiting Wave invites. There are thousands upon thousands more that have no reason to expect an invite but would still take one if one were offered to them. This is an exciting product, after all.

It looked like an invite. Sure the shortened url was one possible give-away, but even that could have been improved by masking the url with text that looked like a safe url, such as Add a couple of Google images and maybe a formal signature and this could have been a lot closer to foolproof.

I was half asleep. Admit it, you’re not always paying attention when you check your mail either. We check our email late at night, early in the morning, on our mobile phones, while we’re eating or playing with a pet; there are all kinds of distractions that may contribute to not paying full attention to routine tasks like checking email.

I was overjoyed. Don’t discount this one &#8212 human emotion is what sells a social engineering attack such as phishing. I had a rush of feelings and thoughts flying through my head as I clicked a link I barely looked at: who do I know that already has wave? I hope it’s awesome! who will I invite? I should thank Dave for inviting me! where’s the link for that two-minute introduction video I saw the other day?

Of course it could just be a coincidence that Wave launched a few days before a high-profile phishing scam, and it could be that I’m the only one stupid enough to fall for a prank like this, but at the very least I think it’s conceivable that a phishing attack based on Google Wave invites could have snagged 30 000 users or so from a group of major email providers.

Am I out of my mind? Have you heard a better explanation? Share some thoughts and leave a comment.

Web Technology

Does Chrome Frame do more harm than good?

There’s been a bit of buzz around the web lately after Google proposed a solution to the IE6 problem in Chrome Frame. While it seems like a great idea up front, there’s actually quite a bit of controversy behind whether or not this is a valid solution. Read on for a quick summary of anything you might have missed, followed by my own take on the matter and a chance to share yours.

Let’s get you caught up

Internet Explorer 6 is a browser that was created for Windows XP and released in 2001. Due to the massive popularity of XP and the widespread adoption of the Internet Explorer name going into this millennium, it’s still used today by a non-ignorable portion of web users. This is a problem for web developers, because it’s often necessary to bend over backwards in order to get new and exciting web products to perform reasonably in a browser that is about half as old as the world wide web itself.

While developing Wave, Google had to come up with a solution for IE6, and decided to do something novel by creating a plug-in for Internet Explorer which replaces the entire web page with an instance of Google Chrome, a very modern browser capable of rendering the latest-and-greatest the web has to offer. This “Chrome Frame” is then used to render the intended page, all completely transparent to the user who is still using and looking at Internet Explorer.

Now obviously this was met with a bit of backlash from Microsoft, who was none too happy seeing Google inject its Chrome rendering engine into Redmond’s (in)famous browser. They pointed out that this makes IE less secure, which Google obviously disagrees with, and some blogs noted (correctly) that Chrome Frame breaks accessibility features in IE which is kind of a big deal. Further supporting Microsoft was Mozilla (!) who referred to the Chrome Frame solution as &#8220browser soup&#8221.

Of course there are many proponents of Chrome Frame as well; it is a very convenient way to handle the growing discrepancy between IE6 and the modern web, and in some cases that benefit alone will outweigh the issues described above. There’s an article about how Chrome Frame will affect the corporate world which has sparked some very interesting discussion in the comments (which are now more enlightening than the article itself) &#8212 I highly recommend taking a look.

My thoughts on the matter

I think an underrated aspect of this debate is that this is about users, and what they expect from a browser. It’s not a technical problem, and it shouldn’t be met with a technical solution. Google is essentially offering a patch that will encourage users to continue browsing the web with a broken browser. What Google should do is inform users of the problems with IE6 and explain the benefits of a new browser with a very strong recommendation to upgrade. This will result in more educated users using better browsers, which is far more valuable to Google and the web as a whole than more users still clinging to IE6.

What’s your take?

There are a lot of different ways to look at this issue. Share your perspective and leave a comment!