textiplication.com

From an interview at Google Blogoscoped with Google group product manager Brian Rakowski:

…

There are ways to make Chrome automatically download a file without the user confirming this (at least using Chrome’s default options). Don’t you consider that a potential problem?

On its own, downloading a file isn’t dangerous. It can be annoying if a site tries to download a bunch of files to fill up your hard drive, but there are other ways to do things like that and it hasn’t become a problem. The danger arises when an automatically downloaded file can be automatically executed. We’ve taken steps to prevent this in Google Chrome and will continue to make sure that this is the case.

This answer is incredibly disingenuous.

How about this comparison? Leaving your front door open is not inherently dangerous.  It’s only a problem if an attacker walks in through the open door and steals your stuff!

Is downloading a file inherently dangerous? Of course not, I do it all the time - when I want to! If Chrome can be fooled into downloading a file without the user’s permission - and it can - that means that an attacker can place malware onto your machine, and it’s up to you not to launch it.  Even if it’s named Spore.exe, and has a Spore shortcut on the Start menu linking to it. A Start menu shortcut is itself just a file.  Arbitrary file downloads are inherently dangerous.  You can’t say “It’s only dangerous if…” the file automatically gets executed, because it’s much easier to convince the end user to execute a file than it is to force it onto the end-user’s machine!

With decent security in place, that is.

BTW, this vulnerability calls into question the whole trust model that the comic book brags about on page 26-27, don’t you think?

And boy, are my arms tired!

The Tina Fey/Sarah Palin thing was not horrific, actually, for the most part, I guess.  But I’m not sure that it was a great idea for SNL to make a play for the attention of people like me, who haven’t seen SNL regularly since Joe Piscopo overwhelmed the show with his talent. 

Let me put this plainly.  Why would SNL do anything to attract this kind of attention when, how shall I say, the show sucks so bad? Shouldn’t they try to avoid attracting attention?  Isn’t the last thing they should want to do is get more people looking at them sucking so bad? They should be hiding.

Yes, I watched it at 8 on a Sunday night.  That’s always been a big problem with SNL, that it’s on so late.  That, and the sucking.  Oh, my tentacles and and teeth!

Zero Day is all over this, aggregating reports as they come in.

http://blogs.zdnet.com/security/?p=1858

Yes, Google calls it a beta, but everyone’s used to relying on Google’s beta products.  Chrome is, so far, behaving exactly the way you’d expect a brand-new browser to behave.  Although Google put a lot of good thought into the architecture, security is all about the implementation.  By writing this privately, without a lot of public oversight, they bought into this kind of launch - high publicity, high uptake, high risk.

Here’s Wordle, if you haven’t seen it before.

Not sure whether they tell you anything, but here they are:

Barack:

Biden:

McCain:

Palin:

Actually, I really like it. It’s way, way faster than Firefox 3 or IE7 or 8, for initial launches and individual page loads.
Though I made fun of the comic book, it does cover a lot more info than I remember Mozila or the IE team ever releasing on the architectures of their browsers - and Opera? Forget it. They cover a lot of interesting points for the user, the developer, and the security guy. I’m impressed by all of it.

Google Chrome is, though, a web browser, which means that it is inevitably a huge and complex piece of software riddled with security defects. Since it’s new, we don’t know what any of them are, though! They are there, though, and they’ll jump out at us pretty rapidly.
Here’s one, via Zero Day and Evil Fingers.

“An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a ’special’ character, the chrome crashes with a Google Chrome message window “Whoa! Google Chrome has crashed. Restart now?”

This is bad enough we’ll see it patched really soon. The problem isn’t just that a malicious URL can crash the browser, it’s the risk that the crash could lead to a stack overflow. They’re using ASLR - address space layout randomization - which makes that kind of attack harder to mount.

The second issue Zero Day cites was a big flaming red flag when it showed up in Safari - the ability of a malicious site to drop files onto the desktop. The Google proof-of-concept exploit may not seem as bad as the Safari carpet-bombin issue, since the user currently has to OK the desktop file save. Aviv Raff’s exploit is an interesting combination of old attacks on aging components incorporated into Chrome and a brand-new vulnerability fresh from Black Hat 2008.

SOOO…
I’d continue to use Firefox for your everyday casual browsing needs. Chrome won’t be safe for a while yet - no new browser could be. IE7 isn’t bad, and IE8 will be pretty good.

It may sound more like the name of an early Elephant 6 band - cf. Neutral Milk Hotel, Olivia Tremor Control - but it’s a wonderful little museum in Orleans, MA. We went there a few weeks ago during our one week vacation on Cape Cod, and for me, at least, it was the height of the trip.

The first transatlantic telegraph cable connected the US with London, although it took several tries for it to be successful. The French wanted to have their own nearly-instantaneous link with the US that didn’t run through London - diplomatic concerns, don’t you know - and laid their own cable from France to St. Pierre et Miquelon - French-owned islands off the coast of Newfoundland - and from there down the Atlantic coast to Orleans. The French built a telegraph station in a not-so-big house by the water and operated it for over seventy years, apparently upgrading, repairing, patching, and reinventing it on the fly. Much of that equipment has remained in the house since the station shut down in 1959, and it’s now lovingly maintained by a number of elderly gentlemen who run the museum.

The equipment is beautiful. Apologies for the quality of some of these pictures - the only camera I had with me was my iPhone.

They let you use some of the equipment! My favorite thing in the museum is the Kleinschmidt Perforator:

Mr Kleinschmidt - quite an important guy, really- took a standard typewriter and added a tape-puncher on top. Anyone who could type could be a telegrapher; in Thomas Edison’s youth, a skilled telegrapher was a highly-paid professional. Edison himself was one of the best in the world, in fact. By the 20th century, though, innovation had stolen the luster from the telegraphy profession, replacing it with wonderful objects like this.

And this:

This is a telegraph transcriber. They didn’t have felt-tip pens, of course, so they had to invent low-friction pens. Dead center in this picture you can see a tiny white whisker. It’s actually a glass tube about a millimeter wide. In this transcriber, the tip of the glass tube sat a mil or so distant from the paper, and the ink would be drawn to the paper by static electricity generated by this:

Lovely, isn’t it? Unfortunately, the static-charged contactless pen only worked in low humidity. On Cape Cod, you really don’t ever get low humidity, so this experimental transcriber only worked in winter.

Here’s a working transcriber:

By working, I mean they actually let you work it! The low green box to the right is a punched-tape reader; you feed in the tape you punch on the Kleinschmidt Perforator, and the signal travels six inches to the transcriber, which as you see here is currently using a ballpoint pen instead of the incredibly fragile glass pipettes. The transcriber produces an EEG-like trace of the Morse signal, which you can easily read if you have a) learned your Morse cold and b) further, learned to read Morse as an EEG-like high-low voltage trace instead of dots and dashes. Probably only the ancient gentlemen who operate the museum possess these skills today.

The cable carried direct current over two thousand miles! At the end of its transit the signal was extremely weak, so much of the energy of the inventor team was engaged in reading or amplifying the faint voltage fluctuations. Here’s a real gem:

There are only two of these babies left in the whole world. The Heurtley Magnifier used two pairs of platinum wire to form a Wheatstone bridge, with one of the four wires heated ever-so-slightly by the signal current. The slight temperature variations produced enough resistance in the detector wire to control a larger current through the bridge. Vibration was a problem - they couldn’t receive a signal on that one afternoon every couple of weeks when the hardware store across town had its coal shipment dumped into the basement.

If you’re on the Cape, I highly recommend this tiny little museum. Tended with love by men who rescued the building and equipment from destruction, it’s a rare opportunity to understand the technology constraints of an earlier era, and appreciate the astounding feats of engineering on which the modern world is built.

Everybody’s pretty excited about it. 

I could say a lot about how people are overreacting [not everybody though], how it’s the first browser that leverages the principle of least privilege, how optimistic I am that Gears would be worth using if it was built in, and so on.

But what strikes me is that…

To promote it, they’ve written what is clearly the most boring graphic novel OF ALL TIME!