How to cut the crap in IE8 (IE and Privacy Part 2)

 

I mentioned IE87 pro in the last post, but recently I was doing some work on a server 2008 R2 which didn’t have it installed, and I wanted to look up some data on how much less current solid state drives use than traditional hard disks. I fetched up at Tom’s hardware which was an example of horrible use of flash. I know some people are able to tune out the look-at-me, look-at-me flash, if you’re one I’ve doctored this page to give you some sense of what it is like when I try to read it.  If you scroll the page down the Windows Server Ad on the left doesn’t remain pinned but bounces back into place. Just horrible.  I could have installed IE7 pro but I was trying not to add any software to this machine. So I decided I would turn my attention to using In-Private filtering. The first thing to do was to look at what this page is pulling in. IE8’s privacy report (either from the status bar or the “Web page privacy policy” option on the “Safety” menu) gives a view of what a page is loading from outside its own domain and which of those pages send cookies. You can decide which sites’ cookies you will accept and which you will reject, and this is useful if your goal is to limit the degree to which your movement around many sites gets tracked.  But it lists all pages, (cookies or not) from other domains which show up on a site. So on this particular site what I saw something like the one below:

This showed I was accepting cookies from an admonger  (On internet options my cookies setting was on Medium – this is settable by group policy – only Medium-High level and above blocks these cookies). The report gives me a list of sites which use the page I am looking at to send me sending me stuff I actively want NOT to see. Not all of these will automatically show up if I look at the the in-private filtering settings, because that shows everything which has been found more than a threshold number of times. If set to automatic, In-private Filtering will try to figure out which of these should be blocked, sadly it can’t tell the difference between GoogleAPIs (required to make some sites work) and GoogleAnalytics (habit harvesting). So I’ve set mine manually; This is the first place where (as far as I can tell) IE8 comes up a bit short – it forgets the state of in private filtering, and you need to add a registry entry (sadly this one is not in the group policy templates, but you can save the following to a .REG file and import it into the registry, or even create your own group policy template to set it. Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Safety\PrivacIE] "StartMode"=dword:00000002 A value of 0 is “disabled” , 1 is “Automatic” and 2 is manual. Once filtering is turned on you can select which of the sites detected to block or allow. There is another option though, if you go to In-Private filtering settings via the Saftey menu or via the status bar there is an advanced settings link which takes you to the in private filtering part of Manage add-ons: here you can export or import your settings: again we seem to be missing an easy way to propagate settings: the file is in RSS format there doesn’t seem to be an obvious way to subscribe one. The file itself looks like the one below

 <?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:wf="http://www.microsoft.com/schemas/webfilter/2008">
<channel>
         <title>test</title>
         <description>Export of InPrivate Filtering</description>
             <item>
                  <description>*.google-analytics.com/*</description>
                  <wf:blockRegex><![CDATA[.*\.google-analytics\.com/.*]]></wf:blockRegex>
            </item>
           <item>
               <description>*.DoubleClick.net/*</description>
               <wf:blockRegex><![CDATA[.*\.DoubleClick\.net/.*]]></wf:blockRegex>
         </item>
</channel>
</rss>

As you can see the file is an RSS XML file which defies an extra WebFilter schema. We can have Web filter  blockRegEx or AllowRegEx items – the reg ex is a regular expression, and this is no time to dive into explaining them. Suffice to say that . in a regular expression means “any character” and .* means any character, any number of times (what would be * in most wild card syntaxes). Since . has a special meaning the escape character \ appears before a . when we mean that character – the descriptions show the normal way of writing the expression, a couple of minutes with notepad and I was seeing something like this.  Not only is this something I can read, but might notice the ads which I might follow because they are both static and relevant have got greater prominence. I’d say that was a good result all round.

 

tweetmeme_style = ‘compact’;
tweetmeme_url = ‘http://blogs.technet.com/jamesone/archive/2009/10/27/how-to-cut-the-crap-in-ie8-ie-and-privacy-part-2.aspx’;

This post originally appeared on my technet blog.

IE8 and privacy , part 1

I wanted to talk about the privacy enhancements in IE8, and to save you from reading something of epic length this is only part 1. First, I do know there are some poor souls out there who work for benighted organizations which can’t get off IE6 – so the idea of working efficiently with a multi-tabbed browser like IE7 or IE8 is denied to them unless they get creative and install a second browser [Given a choice between the 8 year old IE 6 and the current Firefox, I would take the current product] but that is another story for another day. If you’re on IE7, then moving up to 8 is nothing like the step of getting off 6 so there really is no reason not to move from 7 to 8. Even if you’re on 8 already you may have missed the enhancements

I guess there is a decent chance that you know about “in private browsing.” which people laughingly call “porn mode”: the idea is it leaves no trace behind. In one of my more memorably titled posts “Pigs and Drugs and Naked Dwarves” I mentioned that “for the last five years or so a prescription drug has helped me lead a bit more normal life than would otherwise be the case.”. Two years on and I’m still taking it, and last time I saw the doctor he said he preferred on-line requests for repeat prescriptions. It’s easier for me too, but I don’t want my request lurking in IE’s history. It’s a model use for in private browsing. I was telling someone recently that the specialist who first suggested this drug told me “I won’t tell you about it because I know you’ll read about it on the internet anyway” which is what I did. Today I would have turned on in private browsing for that too.

I’m a lot less worried by what’s in my browser history than I am by the behaviour of those who sell internet advertising, who want to gather the maximum amount of information about what you and your interests. I don’t want to target Google but as the biggest they select themselves and their CEO Eric Schmidt* famously said he wanted Google to know everything about people – which produced some interesting press. There are things I don’t want Google et al to know about me (like which drugs I’ve shown an interest in) and I can’t really say where those things stop and the things I don’t care about begin. Google’s users are not its customers – its customers are its advertisers, so when advertisers’ desire to target ads comes into conflict with users desire for privacy, I’ve no idea how Google (or any of the others) would go about resolving the conflict. Even on this blog there is potential for someone to see what you’re interested in because links out of the site go via bit.ly so we can see what links people follow. My view (for what it’s worth) is if you can see before you click the link it goes via a central service and if you don’t like bit.ly having that information you can choose not to click the link. I like the fact that my projects on codeplex.com display in large friendly letters whose analytics are used by the site. I’m not so happy about organizations quietly siphoning up personal information, but that can be stopped by IE8. Since this paragraph is peppered with “My view” , “I like”, “I’m not so happy with”, this might be a good point to remind you that this the personal view of one Microsoft employee (see the in Private feature section of the IE8 Readiness kit for a more rounded view of the issues) but the important point is that we do like to give people choices. For me exercising  choice meant using IE7 pro for the last couple of years, it works nicely on IE8; there are other dedicated blockers though the ones for Firefox seem to be better known.  IE 8 has “In private filtering” lurking quietly on the status bar: this removes undesirable embedded content – so  it can also filter out servers of Ads, which is where the blockers focus their attention, and something I will come back to.  In Private filtering identifies those bits of content which come from one provider but are embedded in pages of multiple others, as you can see from the screen shot below.

I went through the sites which IE had picked up: here are what some of them say about themselves:

What is STATCOUNTER? A free yet reliable invisible web tracker
Quantcast says. “We show you who is clicking your ads, browsing your website, and purchasing your products… Once you know, it’s easy to buy an audience of millions — even tens of millions — who look like them”
Media6°claims it ‘provides major brand marketers with targeted audiences using the power of social graph data.’
Site meter says with their “detailed reporting you’ll have a clear picture of who is visiting your site, how they found you, where they came from, what interests them and much more”
Kontera says “patented technology performs real-time semantic analysis of content and other information to dynamically hyper-link the terms that most accurately represent and predict user-intent and engagement”
ScorecardResearch is a domain used by Full Circle Studies, Inc. to help with the collection of Internet web browsing data on specific websites that have enrolled in a broad market research effort to create reports on Internet behavior and trends.
YieldManager turns out to be part of the “Right Media Exchange” which calls itself the first largest market place for all buyers and sellers [of ads]

Underneath the list of sites there is a link to find out more about the organizations sending you content – only two of follow the standard (Google Analytics, and Audience Sciences [RevSci.net] ) . The others needed me to go digging to find out who they were, and what they wanted my information for; reason enough in my mind NOT to trust them. What was interesting was that Audience Sciences is a member of the Network Advertising Initiative who have an Opt out page . I recommend you visit that page it shows you how many NAI members have got their cookies onto your computer (a staggering number in my case), and allows you to say that you don’t want those organizations to put the information they have about you to use. To me that’s solving the wrong problem. Blocking with In-private browsing stops them getting the information in the first place.

I said I would come back to the question of blocking adverts. Some people will tell you that visitors to a web site somehow have a duty to look at the ads it serves up. Did anyone ever argue that you should must stay in the room when ads appear on TV ?  And whilst such arguments might have merit if talking about universal blocking, they look staggeringly weak when its a personal, one-off decision. Remember that ads are usually paid by click-through, not by views. I am never going going to click through any of the ads in question, so I am not costing the sites any revenue. Secondly I’ve written here and here about my “aspergers-like” reactions to distracting (Flash) content on web sites – the impetus for this piece was using a machine with out IE7 pro and hitting a one site where an ad for Windows Server bounces up and down in the margin as you scroll the site, oh the shame of it. I am less likely to buy the product of an advertiser who shows me an ad like that, so I am doing them a favour by not filtering out the ad, as well as saving everyone’s bandwidth.

Next up – how to configure it:

 

---

*Two thoughts on Eric Schmidt (1) He ran Novell for a time so I think of him as “The man who turned Novell into the company it is today.” (2) He famously talked about Microsoft having an evil room. In all the real-estate Microsoft owns it is comforting to know he thinks our evil is confined to one room. Actually I’m sorely tempted to propose that we rename one of rooms from, say, “Great Ouse” to “Evil”, and hang a picture of Eric and some of his sayings on the wall. 

tweetmeme_style = ‘compact’;
tweetmeme_url = ‘http://blogs.technet.com/jamesone/archive/2009/10/23/ie8-and-privacy-part-1.aspx’;

This post originally appeared on my technet blog.

Can Bing do twitter search better than twitter ?

First off to avoid any frustration, you need to set your country to United States, because this feature hasn’t been rolled out to all the baby bings.

The you go to www.bing.com/twitter and put in what you want to search for, you get the most recent tweets, and links which come up in multiple posts, even (and this is the bit I like) even if they are linked with different shortening services. And you can re-tweet anything you see.

I’ve got another post in draft at the moment which could be seen as having a go at Google, and I don’t want to be get into bashing them, but … Google are seen as the leaders in search, so much so that getting people to even try something else isn’t easy. But I can’t recall the last time I saw Google do anything innovative with search. (I’m sure someone will set me straight on that). Update. Google say they will be searching Twitter in the future: now if they come out after bing and with something which isn’t as good … oh deary deary me.

As I hinted in the previous post, sometimes the negative press we get can get us down. With Windows 7 , and Server 2008 R2, the new Office, the project Natal stuff on Xbox (so cool it will give you frostbite), and Bing showing our search work in a good light, people are writing stories about Microsoft getting its mojo back: as a good Microsoftie I’d argue we never really lost it but after all that knocking copy, I’ll settle for that.

tweetmeme_style = ‘compact’;
tweetmeme_url = ‘http://blogs.technet.com/jamesone/archive/2009/10/22/can-bing-do-twitter-search-better-than-twitter.aspx’;

This post originally appeared on my technet blog.

A uniquely good day to be at Microsoft

I don’t think you can have missed that today was the day Windows 7 became generally available. I’ve been trying to come up with some unique angle on this for a blog post and not getting anywhere. Two thoughts related thoughts I will share.

The first: sometimes on these occasions the press turn up and try to interview employees: since I am press-trained I can talk to them, and as I was driving to the office this morning I wondered what sound bite I’d come out with. “This place is always on a high when we release new products and seeing reaction Windows 7 has been getting we’re on a higher high than usual”. I wondered how I could bring in Server 2008 R2, or the upcoming “2010” releases apart from ending with “and we ain’t done yet.”

The last thing I did before leaving the office was to read a mail from our director: it doesn’t deserve to be broken up for quotes, but it would be rude to publish it all. He called out the story that Amazon said pre-orders were its biggest ever outstripping the last Harry Potter , and 500 people queued up outside PC world’s flagship store to get their copy at midnight. He called out the positive press that the Register has given 7, they’re not known for being pro Microsoft. And he called out the groundswell of positive customer feeling which 7 has (My personal favourite is the Vox-pop of twitter comments running on the Microsoft.com home page). And he said “It’s easy for old lags like me to become cynical and start believing the [Negative press we get]”  ,before talking about the how he felt re-energized by the arrival of 7. I’m staring down the barrel of a 10 year service award so I’m an “old lag” myself and know exactly what he means.  His final words were “There is no better place to be today”, and from a director that’s a sentence which should usually be treated with the same cynicism as , let’s say, “People are our greatest asset”. But this time … I’ve never agreed with him more.

tweetmeme_style = ‘compact’;
tweetmeme_url = ‘http://blogs.technet.com/jamesone/archive/2009/10/22/a-uniquely-good-day-to-be-at-microsoft.aspx’;

This post originally appeared on my technet blog.

More on VHD files

I’ve had plenty to say about the uses of VHD files on different occasions. They get used anywhere we need to have a file which contains an image of a disk. So from Vista onwards we have had complete image backup to VHD, we use VHD for holding the virtual disk to be used by a Virtual Machine (be it hyper-V , Virtual PC or Virtual Server – the disks are portable although the OS on them might be configured to be bootable on one form of virtualization and not another), and so on.

Most interesting of all with Windows 7 and Server 2008 R2 the OS can be boot from a VHD file – if you try to do this with an older OS it will begin to boot and then when it discovers it is not on a native hard disk it all goes the way of the pear. However an older OS can be installed on the “native” disk with a newer OS in a VHD, provided that the boot loader is new enough to understand boot from VHD. I’ve done this with my two cluster node laptops – I can boot into Server 2008 “classic” or into 2008 R2: the latter is contained in a VHD and so I don’t have to worry about re-partitioning the disk or having different OSes in different folders. The principles are the same but the process is a bit complicated for XP and for Server 2003 – but Mark has a guest post on his blog which gives a step by step guide. In theory it should work on any OS which uses NTLDR and Boot.ini all the way back to NT3.1 – though I will admit I’ve only run XP and Server 2003 in virtual machines since Hyper-V went into beta,

Of course being able to mount VHDs inside Windows 7 and Server 2008 R2 gives you an alternative way of getting files back from a backup, and I’ve got a video on technet edge showing that and some of the other uses. My attempts to modify a backup VHD into a Virtual Machine VHD have failed – I can access the disk in a VM, but my attempts to find the right set of incantations to make it bootable have left me feeling like one of the less able students at Hogwarts. Into this mix comes a new Disk2VHD  tool from Mark Russinovich and Bryce Cogswell – Mark is the more famous member of the team, but if you do a search on Bryce’s name you’ll see his background with sysinternals  so Disk2VHD comes with an instant provenance. There are multiple places where this tool has a use, lifting an existing Machine to make a boot-from-VHD image or a virtual machine, or as a way of doing an image backup which can be used in a VM.

tweetmeme_style = ‘compact’;
tweetmeme_url = ‘http://blogs.technet.com/jamesone/archive/2009/10/17/more-on-vhd-files.aspx’;

This post originally appeared on my technet blog.

Microsoft Security Essentials

Somehow, in all the other activities of the last couple of weeks I missed the release of Microsoft Security Essentials which is our FREE* anti-virus / anti-malware product aimed at home users. (We have the more business oriented Forefront Client Security as well). My experience with it has been too limited to date to offer much commentary on it: however – since this blog is read mostly by people who work around computers the reason for writing about it is to say this: we all have a friend or family member who doesn’t protect their PC. The availability of  software from Microsoft which plugs the gap and is FREE* gives you a chance help them.

Over on the Malware protection center blog  Joe has posted an analysis of what it unearthed in its first live week. We’ve had 1.5million downloads, and found 4 million infections on 0.5 million computers. That’s right the average infected computer has eight different infections. I’ve seen numbers like that before and find it a bit unnerving , because there is a long tail effect: lots of machines are clean, some have one or two infections, the average for an infected machine is 8 and beyond that – there are some out there with dozens upon dozens.

Joe breaks down the reports by country: US has the most reports at 25%, then Brazil and China at 17% each the UK only has 2% of the reports. I don’t know if it is because we have fewer installations here or if our PCs are better protected. Unfortunately it is only infection reports which are broken down by country, not downloads or installations. But Joe does break installations down by OS. 44% is Windows 7, 23% Vista and 33% XP. We haven’t even launched 7 properly and it is 44% of the downloads. My guess is that people who are trying out a new OS are keener than the population at large to try new anti-malware from the same source. The final chart Joe has put up shows the ratio of infections per OS – when he says normalized, I’m assuming that means Vista numbers are scaled up and Windows 7 scaled down so they both represent infection rates on a equal number of computers. XP is more than 3 times more likely to have an infection than 7. This isn’t entirely because 7 is better – it will be a newer installation so XP will have had more chances to get infected. XP infections rates are 60% higher than Vista’s. But 7 is running at about half Vista’s rate. As time passes it will be interesting to see how close 7 and Vista end up and how far behind XP lags. I’ve got a hunch that the numbers will change as they move away from people installing the software because they think their PC might be infected and finding something on the first run.

 

*As it says on the web site Your PC must run genuine Windows to install Microsoft Security Essentials  or put another way, if you stole the OS, you’re going to have to figure out how to steal software to protect it.

tweetmeme_style = ‘compact’;
tweetmeme_url = ‘http://blogs.technet.com/jamesone/archive/2009/10/16/microsoft-security-essentials.aspx’;

This post originally appeared on my technet blog.

A quick thank you

The theft of my laptop, bag, fleece, keys, etc was a pretty galling experience as I described in the post before this one. There’s never a good time for this to happen, but in the run up to our big  launch event at Wembley was especially inconvenient. What has come as a surprise – and a pleasant one this time – is the number of people who have taken the trouble to commiserate with me, from the people who commented to that post, to the friends who dropped me an email, to those people who came up to me in person (a lot at Wembley) and asked if I had got any of it back. (There was a tag on my keys which would mean they came back to be if thrown in a post box, and the Post Office would get a Microsoft security badge back to Microsoft UK. But no.)  To have enough people show the positive side of human nature that I’m able to lose count has been a bit of a silver lining to the whole experience. And at risk of analysing it all too much, the benefit rises exponentially with the number of people. It would NOT be right to name names here, (I don’t even know all the names) but the people concerned know who they are: Thank you, all of you.

update. Missed out a NOT in the original, which changed the sense somewhat. Oops.

tweetmeme_style = ‘compact’;
tweetmeme_url = ‘http://blogs.technet.com/jamesone/archive/2009/10/09/a-quick-thank-you.aspx’;

This post originally appeared on my technet blog.