New Web Order

Two Google Chrome Privacy Issues

Nik Cubrilovic — Wed, 8 Aug 2012 14:12:17 +0000

I have recently discovered two privacy issues with Google Chrome that users should be aware of. They both relate to browsing history data not being deleted despite the user taking action to delete browsing history.

A Google Chrome user can delete browser history by going into Preferences -> Show Adavanced Settings -> Clear Browsing Data. The following dialog is presented:

If you then click the 'Clear browsing data' button you would expect that all traces of websites that have been visited from the machine would be erased, but there are two instances where user visit data is retained.

I have tested both of these issues with the latest Chrome versions (including Canary) on both Windows and Mac.

Issue 1: Zoom level information for a domain is retained

When visiting a web site in Chrome, if you zoom in and out (cmd + +/- or view -> zoom in/zoom out) the browser will remember your zoom setting for that website. The next time you visit the same site it will apply your previous zoom setting automatically.

The zoom data is associated per domain, and is stored in the user Preferences file, which is part of the user profile - ~/Library/Application Support/Google/Chrome/Default in OS X and \Documents and Settings\%USER\Local Settings\Application Data\Google\Chrome\User Data\Default on Windows (or AppData in Win8). The Preferences file is a plain text file that stores user preferences in JSON format.

The per host zoom settings are stored in this file and not deleted when the user deletes browser history, leaving a trail of visited domain names where the user has adjusted zoom settings.

An example of what it looks like:

"per_host_zoom_levels": {
         "": -1.0,
         "1.bp.blogspot.com": -0.5778829455375671,
         "2.bp.blogspot.com": 3.0,
         "3.bp.blogspot.com": 3.0,
         "4.bp.blogspot.com": -2.22938871383667,
         "account.onetruefan.com": -1,
         "acko.net": -1.0,
         "allthingsd.com": -1.0,
         "antirez.com": -1,
         "api.jquery.com": -0.5778829455375671,
         "apple.stackexchange.com": -1.0,
         "archive.guardian.co.uk": -1.0,
         "arstechnica.com": -0.5778829455375671,

Any other user or process with access to the user profile can access this information.

This issue was files as a bug on the 14th of July.

Issue 2: DNS prefetched domains are not deleted with browsing history

DNS is used to translate a domain name (eg. xyz.com) to an IP address. The DNS lookup portion of a visit to a webpage can take anywhere from 10-50% of the load time, depending on the DNS server and network conditions.

To improve the performance and responsiveness of Google Chrome, the browser will 'pre-fetch' DNS queries and cache them in the user profile. It will perform DNS lookups in the background for any domain names it finds within a page you are visiting, and cache the results. When you click on one of the links, the cached result is used rather than a network lookup.

Google wrote a thorough blog post about DNS prefetching in Chrome, how it works and the benefits.

In Chrome, if you open chrome://dns in the adress bar, you will see all the statistics for DNS prefetching.

As with the zoom issue, Chrome does not delete this DNS prefetch information when a user deletes browser history - meaning that a long list of visited domains (and other information) is left behind on a machine even after the user forcibly deletes the browser history.

Here is what the DNS prefetch information looks like in the Preferences file.

This issue was also filed as a bug on June the 17th.

There is a blog post here describing how to disable DNS prefetching in Chrome

Potential Impact

If you are on a shared machine, such as a public terminal, you can learn the browsing habits and sites that are visited of previous users. This is most likely to be used in combination with other attacks.

Don't rely on the built-in features of Chrome to remove every trace of your web browsing history from a machine. With your browsing history, an attacker could find information about the services you use (such as your banking provider, etc.) in preparation for a spear-phish attack.

There is the simple issue of privacy and the potential mis-interpretation of what 'clear browser history' really means. I would have thought that this issue would be somewhat important in clearing up, by adding some simple routines to the history clearing functions, but there has been no action on it from developers on the Chromium project.

Yahoo Axis Chrome Extension Leaks Private Certificate File

Nik Cubrilovic — Thu, 24 May 2012 04:16:17 +0000

Preamble: The tl;dr for users is to not install (in my opinion) the Yahoo! Axis extenion for Chrome until this issue is clarified. See update below about disclosing this issue.

Yahoo! today announced their new Axis web browser. It is implemented as an extension to Chrome, Firefox and Internet Explorer.

I installed the Chrome extension (direct link to original Chrome extension, probably not a good idea to install it) with the idea of checking out the source code. The first thing I noticed is that the source package contains their private certificate file used to sign the extension:

The certificate file is used by Yahoo! to sign the extension package, which is used by Chrome and the webstore to authenticate that the package comes from Yahoo!. With access to the private certificate file a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo!

Demonstration

To demonstrate the vulnerability, I cloned the source to the extension and added a content script that will prompt a Javascript alert. I then signed my forged extension with the Yahoo! certificate, and installed it in Chrome.

The code for the original Yahoo! extension, and the forged extension I created have been checked into GitHub in a repository at http://github.com/nikcub/yahoo-spoof

The source is the same as the original Yahoo! Axis extension except for this content script which triggers an alert.

Warning: Only install the forged extension if you know what you are doing

Here is a link to a build of the forged extension. It is the same as the original Yahoo! source except it includes a content script that will popup a javascript alert on each page, and it has been signed by Yahoo! (well, me).

This is a proof of concept. When you click on that link it will install the extension in Chrome.

Removing the Extension

See the detailed instructions on the Google Support website on managing extensions. There is also a page detailing how to remove extensions permanently.

First open the Chrome Extensions setting window.

Either:

a) On Mac OS X click on 'Window' and then 'Extensions'. On Windows click on 'Tools' then 'Extensions', or

b) Click on the wrench icon that is located to the right-hand side of the address bar, click on Tools and then Extensions

c) Visit the address chrome://extensions in your address bar. This works on all platforms

Then when you have the extensions setting page open. scroll down until you see the Yahoo! Axis extension and either uncheck the 'enabled' checkbox, or mouse over the trash icon to delete it.

Implications

The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension.

I immediately reported this to Yahoo! on their security contact address and have yet to hear back.

Update: Regarding responsible disclosure. I have a long history of contacting vendors and working with them on security and privacy leaks. I have probably reported over a hundred incidents over the past 15 years. The way this came about was out in the open, and started with tweet pointing out the file and only later in the conversation was the possible seriousness of the leak established.

It was only via conversations and messages on Twitter after the initial tweet that we worked out that this could be a serious issue, but I contacted Yahoo almost right away. I think it is important for users to know that there is potentially an issue here and to be wary of it. With hindsight I would have kept it to myself and messages Twitter, but I relied on a number of other people on Twitter who responded to my original message to ascertain the potential of this disclosure.

There is also an element of obviousness in this vulnerability. Any developer who is familiar with how Chrome extensions are verified who looked at the source of this package would have seen and noticed the certificate file.

BlockPlus v4 Released: Block Google+ widgets and links from other Google sites

Nik Cubrilovic — Tue, 21 Feb 2012 08:22:02 +0000

Google recently added a Google+ widget to the search engine homepage. I wrote BlockPlus when Google+ was first released and first integrated into other Google properties. The idea was to remove all the links to Google+ and Google+ widgets from other Google properties so that you aren't distracted by them and so that the page would load faster.

Today I have released version 4 (don't ask about the version numbering and how it went from 0.7 to 4.0). It has been updated to remove the new widgets and to also speed up page loading on the Google homepage, the search results page and within other apps such as GMail and Docs.

To install BlockPlus for Chrome click: https://github.com/nikcub/Blockplus/raw/master/chrome/build/blockplus-4.crx. If you installed it previously your browser will auto-update to this new version within a few hours.

The project also has a new homepage at GitHub which you can find at https://github.com/nikcub/Blockplus. Issues can be submitted at https://github.com/nikcub/Blockplus/issues.

Thank you to those who have previously contributed bug fixes, issues or other feedback. There are no outstanding issues with this release.

If you are interested in porting the extension as a user script, a greasemonkey script, for Safari or Firefox then feel free to fork it and submit a pull request. I have organized the directories to allow for builds and separate source for other browsers - I just haven't gotten around to implementing the ports myself.

Screenshot

Facebook and many other sites also bypass Internet Explorer privacy controls

Nik Cubrilovic — Tue, 21 Feb 2012 04:40:52 +0000

There is a post today on a Microsoft MSDN blog about how Google bypasses third-party cookie control in Internet Explorer by setting a false P3P header. The post author is Dean Hachamovitch, who is the VP for IE, and follows up from a big story last week about how Google and a number of other ad networks are bypassing third-party cookie blocking in Safari by using a workaround (the workaround involves an IFRAME and a form that is submitted automatically using Javascript).

The case with IE is different. Google (and many other sites) are taking advantage of the P3P protocol (a privacy extension to HTTP) to set third-party cookies. Here is a summary of what Google is doing, from the article:

By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user.

Here is what a valid P3P header looks like, as set by microsoft.com:

$ nc microsoft.com 80
HEAD / HTTP/1.1
Host: www.microsoft.com

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Tue, 21 Feb 2012 04:29:06 GMT
Server: Microsoft-IIS/6.0
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI'
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
Location: http://www.microsoft.com
Content-Length: 23
Content-Type: text/html
Cache-control: private

If an invalid P3P header is set, or a header that doesn't state policy, Internet Explorer will by default accept the third-party cookies (this doesn't happen in IE9). This is what the P3P header looks like for google.com:

P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Not mentioned in the Microsoft article is that Facebook are also setting an invalid header ('invalid' may not be the right terminology here, but they are setting a header that does not contain valid privacy policies). This results in Internet Explorer (pre version 9) accepting the third-party cookies.

From facebook.com:

$ nc facebook.com 80
GET / HTTP/1.1
Host: www.facebook.com

HTTP/1.1 302 Found
Location: http://www.facebook.com/common/browser.php
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Set-Cookie: datr=FxdDTzq9li7A7DRTAxVSXaZN; expires=Thu, 20-Feb-2014 04:01:27 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Debug: 8V3X/HiIi+1PrEZFy4c8LpavYxpBvnsojJ+pcYyGJUg=
X-Cnection: close
Date: Tue, 21 Feb 2012 04:01:27 GMT
Content-Length: 0

The reason Facebook gives for this header in the page that is linked from it is:

The organization that established P3P, the World Wide Web Consortium, suspended its work on this standard several years ago because most modern web browsers do not fully support P3P. As a result, the P3P standard is now out of date and does not reflect technologies that are currently in use on the web, so most websites currently do not have P3P policies.

Microsoft explicitly called out Google for their behaviour but either neglected to mention or didn't investigate Facebook (skeptics may believe that this is because of Microsoft's shareholding in Facebook and their partnerships in search and advertising (HT ask4n)).

If Google is being asked to set proper P3P headers (and it appears that they have already altered at least some of their servers) then Facebook should also he held to the same standard.

~~We plan on surveying other popular sites to find who else is taking advantage of this loophole in P3P and its implementation to bypass third-party cookie controls in earlier Internet Explorer versions~~. Update: see below. I plan on running a more thorough survey of the top domains.

Survey of other sites

I looked up the Shodan Research HTTP archive to estimate how many other sites are bypassing Internet Explorer privacy controls for third-party cookies by setting an invalid P3P policy.

The database contains all the HTTP headers for the top 10,000 websites according to Alexa. The relevant headers (P3P, p3p, etc.) show that almost 500 sites are setting invalid P3P headers - almost a full 5% of the top 10,000 web servers surveyed.

Facebook Is Losing E-Commerce

Nik Cubrilovic — Sun, 19 Feb 2012 02:45:12 +0000

Bloomberg has a report out today about retailers shutting down their online Facebook stores due to lack of interest and activity from users. The headline example is Gamestop - who, despite having some 3.5 million fans on Facebook - recently shut down its Facebook shopfront because it didn't take off with users. From the article:

“There was a lot of anticipation that Facebook would turn into a new destination, a store, a place where people would shop,” Mulpuru said in a telephone interview. “But it was like trying to sell stuff to people while they’re hanging out with their friends at the bar.”

The story also reports that in the past 12 months other large US brands such as Gap, J.C. Penney and Nordstrom have also opened and then subsequently closed stores.

On the same day a story is published about e-commerce failing on Facebook other stories are published about the rapid growth and success of Pinterest - the social collation and shopping site. Pinterest may already be generating tens of millions of dollars in revenue through affiliate fees received from vendors who are referred users from the service.

So what is going wrong at Facebook? How has Pinterest managed to capitalize on the intersection of social and ecommerce while the worlds largest social network has been left to flounder?

The IPO

Facebook recently filed an S-1 with the SEC and intends to go public sometime in the next 3 months. While it is not yet known, it is said that Facebook are aiming for a valuation of between $75-100 Billion dollars.

The key numbers are:

845 Million active users (login once a month)
483 Million users who login at least once a day
43% of all global Internet users are regular Facebook users
$3.71 Billion in revenue last year, YoY growth of 88%
$470 Million per year is from Facebook Credits
Operating margin of 43%
$1 Billion in earnings
Revenue growth is slowing, from 88% '10-'11 to 60% '11-'12
85% of revenue from ad sales
$4.75 of revenue per year per active user

A valuation of $100 Billion would imply a PE of 100. A valuation of $75 Billion would imply a PE of 75. Apple trades at a PE of 13x and Google at 20x - so for Facebook to justify a $75-100 Billion valuation it would need to grow its earnings by an order of magnitude.

The question then becomes where this growth will come from. Almost all of the wealthy world is already using Facebook. The next 850 Million users will come from countries where ad rates are a fraction of what they are able to achieve currently. The solution to revenue growth is to either grow revenue per user (currently ~$4 per user vs ~$20 per user at Google) or further diversify revenue.

Facebook has already achieved one thing that Google hasn't - it has two large sources of revenue in ads and in Facebook credits. Credits is expected to grow since it is compulsory for Platform apps to integrate them, but ad yield will be more difficult to grow an order of magnitude without significantly altering the product and user experience.

E-Commerce

Analysts who place Facebook's valuation at the higher end of the $75-100 Billion range usually justify those numbers by forecasting large revenue growth in e-commerce on Facebook, and Facebook as a retail threat to Amazon and other online outlets. From the Bloomberg article:

Business consultant Booz & Co. predicted in January 2011 that physical goods sold through social commerce would balloon to $30 billion from $5 billion by 2015, with Facebook contributing a majority of sales.

It is hard to see how this will be achieved when major brands have attempted to open storefronts on the platform only to shut them down due to lack of interest

Social Commerce

The market at the intersection of e-commerce and social has already been established and is growing rapidly, but it is leaving Facebook behind. Pinterest is one of the fastest growing products ever, and recent estimates (although possibly wildly inaccurate) suggest that the site is already achieving tens of millions of dollars in affiliate revenues from its 10 million (and rapidly growing) users.

The expectation amongst technology commentators and analysts is that in the social era one social network (Facebook) would rule all. Facebook would leverage its large base of users to attack each vertical and in-turn switch on gushers of multiple-billion dollar revenue streams. The reality is that social networking online is becoming fragmented. Users of Pinterest can quickly re-create their social network on the site since it integrates with Facebook, and they are also offered the flexibility of a 'do-over' - deciding which contacts they want to share their shopping experiences with and which contacts they don't.

Pinterest has features that are analogous with Facebook - friends become followers, sharing becomes re-pinning, like becomes love, etc. It takes less than a minute to move over your social network from Facebook and to import it into Pinterest.

The advantage that Pinterest and other vertical social networks have is that they are designed for one particular use case rather than having to accomodate them all. The growth in Facebook features means more and more links on the frontpage and an ever confusing interface for users where commerce and commercial advertising are mixed with personal notes and baby pictures.

Why Facebook is Losing E-Commerce

Design

Outside of the core Facebook features - notes and photos from friends, the design of Facebook is terrible. As a user I find myself anxious when clicking on any link outside of the standard view. Despite using the product for over five years, I have zero familiarity with it. Other products that I use as often I can navigate almost blindly, yet with Facebook all of the features beyond the main timeline and posting interface are a huge jumbled mess.

If I wanted to find a product on Facebook, I wouldn't even know where to start. Here is an example:

The search box can only be used to find people or brands, and then only by name. Compare this to Pinterest:

Leading brands have invested millions of dollars in promoting their Facebook pages through regular advertising channels, yet most of them offer very little functionality and if you like a product page you end up with a torrent of promotional material in your timeline.

Facebook has been designed for personal interactions between friends, it hasn't been designed as a way to find and research products that you may be interested in.

Separating and Grouping Friends

The second reason, and this was pointed out in the Bloomberg article, is that users do not want to mix friends that they share notes or photos to with friends that they seek shopping recommendations from. Facebook has no easy way to segment friends - you can't follow a person you are interested in because of their fashion sense and product recommendations without also being exposed to the mundane details of their life such as which events they are attending and photos they are sharing.

Pinterest and other social networks allow users to segment their friends - they may not want their parents, spouse or immediate relatives to know what they are shopping for but they are happy to share it with dozens of like-minded strangers or friends on Pinterest. Personal photos and notes stay on Facebook, Shopping and e-commerce happen on Pinterest and other sites.

Privacy

Related to that point is the issue of privacy - where Facebook does not have a great track record (see Beacon et al.).

Do users trust Facebook with more data than they already know about you? Do you trust them with your daily shopping habits? Do you trust them not to share your information with retailers who are setup on the site? Do users feel that their privacy is being violated when their news stream consists of a mix of personal photos along with product promotions?

It may be inevitable that due to the issue of privacy alone social networking users become uncomfortable with a single site being the basis for all online activity. The trend may become that multiple social networks - each serving a particular vertical and each knowing only a slice of information about the user - becomes the norm.

There is a conflict here for Facebook. They are being entrusted by users with a lot of personal information while at the same time their business interest is to increase the yield from advertising - which can only be achieved with better ad targeting, which means more personal information being revealed to advertisers.

What Can Facebook Do

To win-back e-commerce Facebook will have to redesign their product and somehow segregate the different applications on a social network. One stream for personal information, another stream for e-commerce and product recommendations, another stream for gaming, etc.

Facebook will also have to figure out a better way to integrate applications with their platform. Why is Pinterest a separate website with minimal Facebook integration rather than an application built on Facebook? The promise and idea of Facebook was to become the social operating system for the web - yet potential partners are tapping into it for nothing more than sucking out contacts.

Unless there is a redesign of the product and the platform, Facebook may grow out to be the social network for photos, events and notes - leaving the lucrative verticals such as online commerce to competitors such as Pinterest and not fulfilling its potential as the social platform for the entire web.

How Megaupload Was Investigated and Indicted

Nik Cubrilovic — Fri, 20 Jan 2012 16:47:06 +0000

The popular file upload site Megaupload was taken down today as part of a US DOJ investigation into the site for breaches of US copyright law.

From reading the indictment and digging around online you can start to reverse-engineer how the investigation was carried out.

The evidence in the grand jury indictment is of four forms:

Internal emails, dating back to 2005 - including correspondance between staff members and support emails.
Publicly accessible details such as URLs to pirated content, dates of domain registrations.
Information from the Megaupload PayPal account and correspondance between PayPal and Megaupload
Information from the Megaupload Moneybookers account.

The Megaupload corporate email was self-hosted on a dedicated server that was one of the 525 servers the company had located with Carpathia Hosting in Virginia. That mail server is no longer responding, but the MX record can still be found and pointing to an IP address belonging to Carpathia.

The bulk of the evidence against Megaupload is from the internal emails, likely taken from this server. I'd guess (and we won't find out for certain until the trial - that is, if this case ever gets to a courtroom) that the FBI and DOJ served Carpathia with a search warrant to gain access to the information on that email server. Under US law you are actually less protected if you host your own private email server rather than using a public service (see this guide on what the government can and can't do). Megaupload would not have been made aware of any such search warrant.

It amazes me that this company hosted its emails in plain text on a US-based server. The irony is that there are a number of internal Megaupload email threads discussing what they should do to better shield themselves from the US government. These conversations all take place on a server hosted in the USA. The bulk of the DOJ case will be built on the email archive - and hosting their own email server in the USA may become the major cause that resulted in their downfall.

The PayPal records, including all the payment information and emails between Megaupload and PayPal, would have been attainable with a simple subpoena. The same applies for Moneybookers. Subpoenas are remarkably easy to get - and most of the larger web companies do not fight the requests. Very little probable cause is required for the government to obtain these records (to obtain the records without the subject being notified requires an additional court order).

All of the other evidence is based on public records such as WHOIS records, blog posts, download links, etc.

To establish a timeline, the New Zealand media reported that the FBI first got in touch with law enforcement officials in that country regarding Megaupload 'around a year ago'. This shows that the investigation had little to do with the recent high-profile release of a supporters video and music clip along with the associated lawsuits.

It is thus likely that this investigation began in 2010, at the latest. The emails in the indictment date until November 2011, so the search warrant must have been carried out late last year. The indictment was filed on the 5th of January this year and only unsealed yesterday. The grand jury must have taken place late last year (in 2010).

The internal emails are often incriminating. I don't buy the argument that a DMCA takedown request requires you to remove every copy of the same file, since the each request requires a legal notice that the particular user who uploaded the file does not have explicit permission to host that file. What is a worry for MegaUpload is the internal emails between staff discussing piracy, where to find pirated material, rewarding uploaders with cash payments for uploading pirated material and helping out users to find pirated material in support emails (one support email asks 'I only bought a Megaupload account to watch (the name of some show)' and the staff responded with a link to a download).

Also incriminating is the money laundering evidence. In the year 2011 alone, Megaupload spent $7.8M on renting yachts in the Mediterranean for 'marketing purposes'. There were also numerous million-dollar or greater bank transfers between a large number of what look like shell companies.

For the sake of the Internet, I hope Kimble and Megaupload refuse any plea deal and take this all the way to court. They may be guilty on racketeering and money laundering, but we need those finer aspects of DMCA and safe harbor to be tested in a US court. I would also like to find out what probably cause was used to issue a search warrant for the email server and its contents - since that is where almost all of the evidence in this case originated from and there is very little evidence in the injunction outside of the contents of those emails.

The Google Firefox search deal, Chrome and Lady GaGa

Nik Cubrilovic — Sun, 25 Dec 2011 11:37:14 +0000

In a response to MG Siegler's post about the Google and Firefox deal, Chrome engineer Peter Kasting posted to Google+:

People never seem to understand why Google builds Chrome no matter how many times I try to pound it into their heads. It's very simple: the primary goal of Chrome is to make the web advance as much and as quickly as possible. That's it. It's completely irrelevant to this goal whether Chrome actually gains tons of users or whether instead the web advances because the other browser vendors step up their game and produce far better browsers. Either way the web gets better. Job done. The end.

I believe the first part about wanting to advance the web. Google's foray into browsers began with the Gears project, an extension to existing browsers that implemented new HTML5 (then Web Applications 1.0) technologies such as localStorage. Browser development was stagnant at the time and since Google is a web company they needed browsers to push forward in order to compete with the desktop and enterprise software industries with solutions such as Apps for Business.

This effort led to Chrome, a new (and in my opinion, the best) browser which has now overtaken Firefox and attained a 25% market share globally.

But to say that attaining users for Chrome is a nice side-effect of doing good for web technology is a stretch. Google was previously known as a 'no marketing' or 'anti marketing' company where the product speaks for itself, but this year it increased marketing and advertising spend to $4.9 Billion dollars, up 69% over last year.

A lot of mainstream technology users now know what Chrome is because of this marketing effort. Building a good browser that is better than the rest will win you a lot of developers as converts, and some early adopters, but that is worth probably around 10% of the market. The remaining 15% was bought with a large-scale traditional marketing campaign that involved no less than Lady GaGa appearing in a Chrome ad and an advertisement during the SuperBowl (see more here on where Google is spending that budget.

For some reason Google (or some Chrome developers, at least) want their effort to appear purely altruistic, while the marketing arm of the company is investing billions in attracting users to their platform. There is nothing wrong with this - Chrome is the best browser and spending to convert users to it is a huge favor to web application developers as well.

As for MG's other post today over at Techcrunch asking why Chrome took off where Safari didn't, I can think of a few reasons:

Google rewrote a new Javascript JIT compiler, V8, from scratch. The performance improvement was significant and it raised the bar for Javascript performance (that engine is also used by the node.js project)
The Javascript engine and the Webkit rendering engine combined provide the fastest browsing experience on most platforms (this is my anecdotal experience - I haven't benchmarked it)
Apple don't really promote and market Safari as much as Google promotes Chrome, and Safari on Windows is terrible.
There is a thriving extension ecosystem and developer community around Chrome. Developing extensions for Chrome is a breeze and a dream. The Web Store is also easy to use and navigate.
The Omnibar. Seriously, how did we use browsers before this thing. Whenever I am in Safari or another browser I can't break out of the habit of entering search terms or keywords into the address bar and hitting enter.

The Firefox deal is paying Mozilla what the traffic is worth. What Google is paying for in the deal is the percentage of Firefox users who would otherwise not use Google as their browser were it not the default. This would likely be 30% of users of the 25% total Firefox share - so roughly 7.5% of all web browser users. $300M is cheap when you consider the billions invested by Microsoft in Bing marketing to attain a 10-15% market share.

The Crunchpad is proof of obviousness in the iPad design

Nik Cubrilovic — Fri, 9 Dec 2011 13:09:38 +0000

The patent case between Apple and Samsung regarding the iPad and Galaxytab has been an ongoing issue. Apple won an injunction against the sale of the Galaxy Tab in Australia, then saw the decision reversed, only for it to be re-applied by a higher court. A number of outlets reported on the advice Apple has given Samsung in order to avoid its design patents.

The advice takes the form of expert testimony from Peter W. Bressler, an industrial designer hired by Apple as a consultant on the case. His testimony is a rebuttal against the obviousness argument filed by another expert on behalf of Samsung. The Samsung expert, Mr Sherman, is attempting to argue that an ordinary observer would come up with the Apple design as a natural evolution of tablet computing. Mr Bressler, for Apple, disagrees.

The fight gets a bit dirty, with the Apple expert claiming that the Samsung expert isn't really an expert (because he didn't go to an industrial design school, apparently), but even if he were an expert, it wouldn't matter, because his argument is wrong anyway - and that he, Mr Bressler, is the one true expert, and he doesn't believe the Apple design is obvious. In page upon page of testimony Bressler argues why the Apple design is so unique, but in the end it comes down to things like rounded corners and centering the touch screen. Some highlights from the testimony (edited for brevity) (see online version):

Based on my understanding of the appropriate test of obviousness and my review of Mr. Sherman’s declaration, Mr. Sherman obviousness analysis is not correct. [..]

First, Mr. Sherman does not purport to opine on whether an ordinary observer would find the prior art he constructs as substantially the same as the Apple designs. I have [..]

Mr. Sherman’s opinion is purportedly based on his experience “in the telecommunication industry” and “mobile handsets technology and products.” (Id. ¶ 6.) This is not sufficient to establish expertise in consumer perceptions. [..]

In contrast, industrial designers are trained to understand how consumers respond to visual cues and aesthetics. [..]

Mr. Sherman testified that he has never studied marketing, industrial design, or minimalism.Third, it is my opinion that a designer of ordinary skill in the art is a designer who is experienced in the industrial design of consumer electronic devices. [..]

Mr. Sherman is not a designer of ordinary skill in the art because he is not an industrial designer and has no experience as an industrial designer. He has taken no coursework in industrial design.

The testimony then goes into detail about what Mr Bressler considers so special about the design of the iPad, and how a competing design could avoid conflicting with the Apple patents. These summary points were covered in the news media this week and were brilliantly torn apart in this post by Thomas Baekdal. They are, in summary:

Not a minimalist design (from sec 4.)
Square corners rather than round corners (sec 79)
Front surface that isn't flat (sec 79)
Thick frames around the front surface (sec 79).
Profiles that aren't thin.
A front surface with decorations (sec 79)
Cluttered appearance.

Samsung argues that the design is obvious and there is really no way around it (that is just part of it, this case is complicated and IANAL, but this part is easy to understand - that both the iPad and the Galaxytabs are natural evolutions of tablet computing).

I find this interesting because I was involved in the Crunchpad project while at Techcrunch. It was an attempt to build a cheap tablet computer and we started the project a full two years before the iPad was announced. Apple is attempting to patent protect features of a design that we had published years before the iPad was announced. Our own designs were inspired by previous tablet designs, and minimalism in a tablet wasn't first seen with Apple and the iPad.

We had no idea about the iPad, nor the patents, and I would consider us to be ordinary observers, and the design we came up with is exactly like what iPad became, including the points discussed above.

So I share the same opinion as Samsung - a design for a modern tablet is obvious and an evolution of previous design. There was a lot of prior art when we began the Crunchpad project, and having a tablet that was touch controlled rather than with a stylus wasn't really a revolutionary idea since there were a number of component manufacturers at the time who were scaling up their touch controllers to larger dimensions (9", 11", 12" etc.) in preparation for this market.

When we described the idea we had for the Crunchpad to potential partners, ODM's, component suppliers, etc. everybody just got it, you didn't even need to sketch it. Fact is that most knew that this market was about to explode since the components were becoming cheap enough (specifically screens and touch controllers) and mobile processors powerful enough to the point where a tablet could market for $500 - the right price point for mass consumer adoption.

In touring with various component manufacturers and ODM's in 2008 and 2009 it was apparent that everything required for a cheap tablet was ready and waiting, it just needed somebody to bring it all together and take it to market.

Here is a summary of our prior art from working on a cheap and portable tablet long before Apple announced the iPad. Almost all of the design aspects that Apple lay claim to in the case against Samsung had already been incorporated into the Crunchpad and other prototypes we had seen at the time.

I believe that the Crunchpad is evidence that the Samsung argument is valid, that an independent observer would come up with what looks like the iPad as a natural evolution of tablet computing

As a reminder, the iPad was announced on the 27th of January 2010. Our timeline begins eighteen months prior to that.

First Announcement - 21st of July 2008

The first post about the Crunchpad went up including this prototype design, featuring a rectangle shape, rounded corners, a flat back, an LCD screen with a consistant margin around the outside and a touchscreen controller.

Prototype A - August 2008

I built this prototype including a basic software stack, in 2008 shortly after the first announcement. A touch screen centered in a rectangle package with a flat back and a screen that was flush with the casing.

Prototype B - mid-2009

Design drawings of a pre-manufacture prototype.

Prototype C - mid-late 2009

We had two prototype designs manufactured. We had the orange model shown below, a white model and a black model. Again the points that Apple consider unique to the iPad were incorporated into this design:

The Joojoo

The Crunchpad went on to launch as The JooJoo (long story).

Four months later, Jan 2010

The Download Dot-Con

Nik Cubrilovic — Thu, 8 Dec 2011 17:15:33 +0000

Fake software downloads are a huge problem on the web. A few weeks ago a non-technical friend called me and asked how to play some Xvid encoded movies he had downloaded. I told him that the best and easiest software to use is VLC Player. He asked if I could send him a copy or a link, and I said "it's ok, just Google for 'VLC download' and you will find it". Big mistake.

A few days later he was having computer problems. There was a new toolbar in his browser, popups were constantly appearing, his search engine had been switched and the computer was running slow. I went over and removed all the crap that had been installed, ran a spyware scanner and then told him to generally be wary of approving permission requests from applications on the Internet. He then told me that this was my fault, because it was 'that stupid VLC program' that had installed the toolbar, the new search engine and the spyware.

VLC? Spyware? Excuse me? Turns out that the top search results for 'VLC download' are littered with fake download sites that take the VLC installer, bundle toolbars and search engines with them, and then make them available to unsuspecting web users. The webmasters are paid affiliate fees for each install.

Over the past few days one of the major download mirror sites, CNet's download.com, was in the news. It turns out that they too were taking open source software, bundling toolbars and other software with the installer, and then promoting the downloads as legitimate software - trading on the name of reputable and trusted software such as the Nmap security scanner and the VLC Media Player.

After Nmap author fyodor bought the fake download.com downloads to public attention, CNet today issued a statement claiming that bundling useless tools into the installers of open source software was never their policy, and this was all a mistake.

A mistake made with almost every major and popular open source package on the site

As the comments on that thread point out, the bundling will still present on popular open source downloads such as Filezilla and Putty even after the post from CNet was published. The mistake was only that open source applications were included in this bundling racket, non open source applications continue to be bundled with adware.

Other fake download sites that bundle similar toolbars are immediately marked as malware sites and forever regulated to the trash heap of the web. I do not see Download.com as being any different to the thousands of other sites out there that trade on the good name of popular software in order to profit through bundled adware. Download.com shouldn't be given a waiver because they are a large corporation - in this case the business model and the motive is no different to the download scam websites.

From Download.com Adware and Spyware Notice:

When it comes to fighting unwanted adware and spyware, CNET Download.com has always been in your corner. During the past few years, we've brought you the best tools and tips in our Spyware Center, and we've maintained strict policies surrounding adware found in our download library. But in the first quarter of 2005, we launched a zero-tolerance policy toward all bundled adware.

[..]

Although you may come across software from other sites on the Internet that contain adware or spyware, you can feel safe knowing that Download.com has tested software products included in our CNET Download.com listings.

and..

That means every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.

This policy was implemented in 2005. It was in response to an uproar at the time about Download.com and bundled adware in downloads. What it meant was that developers couldn't bundle their own adware into their software products. A short time later Download.com launched their download manager. When you click to download a file, instead of getting the original installed, it would download a small Download.com client which would subsequently install the actual product you wanted - but only after a few nag screens prompting you to install toolbars and other adware (as that post mentions, users who are used to clicking Next, next, next would install it all by default).

Download.com put an anti-adware policy in place, but that was just clearing the path for their own bundled adware and spyware (I consider most toolbars as spyware, since they record every site you visit).

Open source applications being bundled was just an "oops" mistake, but it still continues with other popular software packages (such as the DivX player I just downloaded and installed).

To be clear: the bundled software is completely useless to most users, is an invasion of user privacy and if thoroughly explained and properly labelled most users would opt-out. The business almost entirely relies on tricking users into installing the bundled software.

There is only one solution to this, and it is that Download.com can not be trusted as a mirror for popular software. It is no different to the fake download sites that trick users into installing toolbars and adware - and like those other sites, Download.com should be blocked and reported as a badware site, at least until they revert to providing a clean mirror of software packages.

I have blocked download.com and download.cnet.com in my DNS server, and have also reported download.com to Google as an unsafe badware site, and I suggest you do the same. It shouldn't take too many reports until either Google investigate or Download.com opt to completely clean up.

Note: you can access clean installs from download.com if you signup for an account on the site. But who the hell does that.

Google Android: The Accidental Empire

Nik Cubrilovic — Wed, 7 Dec 2011 17:39:48 +0000

What Google has done with Android is amazing. The mobile operating system is now 44% of the smartphone market and its rise, along with iOS, has contributed to the utter destruction of both RIM (peak market cap of almost $80B, down to $8B today) and Nokia (peak market cap of $158B, down to $19.5B today).

I spent some time the other day standing in a cell phone store running the support gauntlet with my provider. While waiting on a staff member to help me, I was browsing all the latest phones and noticed something remarkable: every single phone in the main display area was an Android device. New devices from HTC, Motorola, Samsung, etc. indistinguishable from each other in many ways, but all running the Google mobile operating system.

Apple had a full two-year head start over Android. The iPhone was an absolute success and iOS now makes up for a majority of Apple revenue. Yet Android has overtaken it in market share and is growing faster in taking what is left of the Blackberry and Symbian share. It was only when Google announced last year that over 200,000 new Android devices were being activated each day that most took notice of what Android was becoming: a dominant mobile platform, a Microsoft-beater, and an Empire.

Android almost didn't happen. All of it. From Google releasing a their own device, through to Microsoft being crushed and Google now holding a near-majority of the ultra-competitive smartphone market. This is because Google's purchase of Android was carried out on a whim. The two co-founders went around Eric Schmidt, then CEO, and purchased the small Palo Alto-based startup for a around $50 Million - Schmidt knew nothing about it at the time.

I had heard this story some time ago, but it came back to me as I was standing in the store and seeing first hand the dominance of Android. I found out about what happen with the Android acquisition during an otherwise routine press briefing in October of 2009. Eric Schmidt and Sergey Brin held an open press event in New York. Most of the event revolved around the controversies Google were involved in at the time: Google Books, antitrust investigations, Android lagging behind iPhone.

In answering a question about mobile and enterprise strategy, and potential acquisition targets, Schmidt revealed that he was not involved in the Android acquisition. He said that he didn't even know that Larry and Sergey had purchased the company. There is a transcript of the briefing at Techcrunch, the relevant part is:

Question: What are the most attractive areas for acquisitions?

Schmidt: we turned off M&A down, we didn’t want an additional expense streams without [additional revenues] We’ve turned it back on again. One day Larry and Sergey bought what became Android, and I didn’t even know about this. They said this is really interesting. I didn’t think about that, but now think about the strategic opportunities that created.

Nobody in a room full of journalists seemed to recognize the significance of this statement at the time. They moved onto the next question, and none of the summaries or stories about the press event that day in New York made mention of what Schmidt said about Android, or indeed the implications of the decision making process.

This says a lot about how Google work. Keyhole Software, which went on to become Google Earth, was also acquired in a similar manner. By being flexible and daring, Google has established itself as a leader in one of the fastest growing technology markets in the world. They beat out established industry leaders by taking a chance.

I find the story of how Android was acquired to be an interesting piece of technology folklore - like how Bill Gates sold DOS to IBM without actually having an operating system, or how Steve Jobs visited Xerox PARC and was inspired to create the Macintosh. You can now add the story of how a leading smartphone platform was acquired for comparatively little money, established Google in a new and important market, and how it created an empire almost accidentally.