If you tell enough stories, perhaps the moral will show up.


Spam Counter - 2008 September: 1355

Among the penis pills and the phishing we see hints of cheap clothes and dodgy diplomas. Are the times hardening? If so, Spam Will Adapt & Survive!


Free Health Food

One good reason to get home in daylight is that you can browse the hedges. It has been an amazing year for blackberries with whole sprays ripening at the same time. Even the fruit of the hawthorn are edible, though no tastier than they ever were.
Mrs U made hedgerow jam which allowed me to claim that I had spent the afternoon hawing in the hedges. Which is a very fine image.


The Truths of Astrology

I am sometimes praised, mostly by me, sometimes by him or her, but very rarely by Them. So, this afternoon when I was very deliciously, loudly and fulsomely praised by the lovely ladies on the admin desk, swiftly joined by the very gorgeous customer service head, apparently with no motive other than to publicise my wonderful personal qualities, I was a bit perplexed. In fact I couldn't restrain myself from wondering what their collective game was. (And I still don't know)

I got a glimpse through the mists, though, on the way home. My horoscope in the thelondonpaper which they won't have seen, is absolutely explicit. It looks like a good weekend -- at least as a test of newspaper horoscopy.

How? Well, it couldn't be more obviously about me, and I have got -- as it happens -- a fine project to throw myself into and a number of things that need to come together. There's even a defined timescale.

We shall see.

UPDATED: 22:34 Saturday -- I assembled a chicken coop with plenty of flair, and energetically picked fruit in the hedgerows, but nothing yet.

UPDATED 21:53 Monday -- Overall the weekend has passed off like many others -- on Sunday I mowed the lawn, cut wood, picked apples... So it looks like a clear loss for astrology -- it got the right guy, but gave the wrong advice. And yet. At 3AM today, I woke with a clear sensation of being outside in a lightning flash with the roar still echoing in my ears. I was so terrified that I would not have been surprised to find myself blind with a Voice asking "umacf24, umacf24 why do you persecute me?" As it was, I shook with terror as I made my way to the toilet and then shook with terror in bed until I fell asleep. I don't think it was real lightning -- I'm too far from the window for it to have that effect. But as a way to bring things together in a rather intriguing way, it totally sucked. So I call this a draw.


ActiveX is Satan's Execution Environment. From Hell.

I went live with a simple but rather marvellous little change -- all the groups which deliver bulk machine or account admin privilege have been dropped into the group that denies browsing on the proxies. That's a huge win -- a vital step forward now that so many legitimate sites have been perved up to push BadSrc exploits and the Dear knows what else. The admins have two accounts, and if they want to browse from their workstation, they have to make sure it's not a member of any of the privilege groups. We're not mandating how the support teams arrange accounts, we're not touching anyone's permissions -- we're just declining to accept the risk of admin browsing.

It's good. I trialled on it myself and -- for six months -- on the domain admins. I gave support six weeks notice and a pile of reminders. I engaged with anyone who asked for advice on the technicalities. (It mostly boils down to using runas and getting a second explorer instance.) I've written a page on the support wiki, and for those who can't handle my writing there's advice from Aaron Margosis. It seems there are no tasks that require admin privilege browsing. Everything should be good, and our vulnerability surface hugely reduced.

Except for ActiveX. One of the Desktop team's top-twenty calls is to install or update an ActiveX applet from an external web site. And there's no way round it -- you do need to browse and you do need to be an admin, because what you're doing is exactly what malware does -- it's just that you happen to trust the site.

There's no need for this. I don't see ActiveX giving any better user experience than JavaScript -- it's just bad design. But it has to work.

I'm not going back. But:

  • It's pretty plain that this can't be handled with Windows permissions. ActiveX is too broken. And anyway the philosophy of this change has been to leave Windows access alone. 
  • So we have to look at the other side. When we do this at the moment, why is it OK? It's because the admin, reassured by the user, trusts the site to be safe, and required for business.
Naturally the block imposed by the no-browsing group is right at the top of the proxy policy. So I'm going to go in with a rule immediately in front of the block. If the user is a desktop admin, and the site is in a static list of "Approved for ActiveX" then the browsing is allowed, and the blocking group won't get a chance to take effect. There's an extra step to get new sites into the list but I don't think that will be too much inconvenience, and like the rest of this change, it's the sort of control we should have had a long time ago.

We have to settle who will approve sites into this list, but that's easy: I will.

Next step: probably to enable fast user switching on the desktops, to make life easier all round.


Two Shiny Stories

So now we have the Google browser with a name that proves that the Septics do get irony. It's not chromy at all, but it does have two interesting stories:

  • It is possible to keep big secrets for a long time. I don't know how long it took to go from concept to (beta -- surprise) release, but it can't have been less than eighteen months and even though a Google browser is a juicy story, all the news services all seem to have been taken by surprise. That's impressive. I'd like to know how they did it, and I wonder what other secrets they are keeping.
  • Now that Google is just as wicked as Microsoft there's lost of fuss about the browser's licence and potential to phone information to Google (i.e. under the pretence of checking if the site you are visiting is phishing. But the source is under BSD so it ought to be possible for a forked "clean" version to appear on sourceforge any time. We'll see whether open source can still function without corporate support....