Friday, December 4, 2015

So long Firefox...

In the past half year I've largely stopped using Firefox. Day to day I've moved my browsing to Chrome with all the devices I use. Even on my iPad Pro -- the A9X SoC inside the iPad Pro is so powerful that I don't care if Safari is in fact faster, I'd rather be able to view recent browsing on my other devices and recall stored passwords versus imperceptible differences in JavaScript performance. 

My abandoning Firefox is fairly recent compared to many former Firefox users that I've known who by their technical nature emigrated to Chrome long ago. So why the delay? For the loooooongest time, I didn't see much difference between Firefox or Chome on my home PC. Unlike many people who are automatically drawn to laptops, I've never been much of a laptop person. For accessing information impromptu, I greatly prefer the portability of a high end smart phone .

I also happen to be both a videophile and an audiophile.

On my Windows 10 system I have both a 34" display with a cinematic (21:9) aspect ratio and a 27" 4K display. Both have outstanding color accuracy and use In Plane Switching (IPS) technology to provide great viewing angles and a wider color gamut. On my Mac, I use a 27" Apple Cinema Display. The small displays of laptops provide a very cramped work space compared to what I'm used to.

Then there's audio, audio on most PCs is extremely low end. The biggest player in the space is Realtek whose silicon powers audio on PCs. They sell each audio chip for less than the cost of a Starbucks Espresso. For some juxtaposition, the Soundblaster ZxR audio card inside my PC cost $250 -- it provides high end DACs for both the front and rear channels. Did you catch that part about the front & rear channels? Yep, I have a reference Klipsch 5.1 speaker system attached to my PC. 

What does this have to do with Firefox? Bear with me... 

I have a very high end PC, no doubt I've made it abundantly clear by now. Over the last few years, using Firefox on my home PC, I rarely, if ever, noticed a difference in Firefox's performance versus Chrome.

The problem started with my work PCs, which as you can imagine are nowhere as 'leet' as my home system. When I started my last job, I ran Firefox on a lower end desktop since I spent lots of time with emails and SSHing into systems were the work load wasn't immediately in front of me but in the cloud. I noticed Firefox was not its snappy self, at least compared to what I was used to at home, but I always chalked it up to the hardware sitting on my desk. 

Then one of the developers left so I took over his Core i7 tower with 16 gigs of RAM -- plenty of CPU & memory to run anything I needed. And yet... I noticed Firefox performance was still sluggish and not up to par with what I was used to at home. I had inherited the box from a developer who had installed all kinds of software on it. Who knew what was going on under the hood, right? I wasn't inclined to rebuild it from scratch so I figured something deep down might explain Firefox being sluggish.

The first nail in the coffin (moving away from Firefox) was when the hard drive on this Core i7 died after about a year of usage. I rebuilt the system with a clean install of Windows 7 and still, Firefox was sluggish. I noticed the integrated GPU was pretty low end, Intel's HD2000, so I brought in a dedicated nVidia video card I had at home that I no longer used and yet... Firefox was still sluggish.

I recollected how someone I knew was talking about how Chrome was always snappier, regardless of the hardware and one of the ZDNet bloggers always complained of Firefox's performance. Maybe they were right? Certainly my own experiences on systems that weren't my home PC were bearing this out. 

The final nail (accelerated my leaving Firefox) was when Google released 64-bit Chrome for Windows. I might mention that 64-bit Chrome is not the default Chrome download but having a 64-bit browser making various kinds of exploits much harder to pull off: 

https://en.wikipedia.org/wiki/Return-to-libc_attack

Excerpt:

Address space layout randomization (ASLR) makes this type of attack extremely unlikely to succeed on 64-bit machines as the memory locations of functions are random.


And in lieu of what's going on these days, that's a good thing:


I wrote on the latter general topic some years ago:


Tuesday, September 23, 2014

atoi (in 32 bit x86 Assembly)

During my Amazon days some years back, an inside joke was established between some of us regarding the C function, atoi. One of our teammates named Kevin was fixated on the most efficient implementation of atoi in C. Since our charter wasn't even to code or maintain any C code, Kevin was being rueful about his college days versus than anything else.

After the discussion died down, the following day another team member cracked, "Well, Kevin, now it's time to tackle itoa." We all chuckled but writing atoi became an inside joke with various wisecracks such as "Oh... Kevin's next big project probably is writing atoi with one line of code."

A couple of years later when Kevin and I were no longer coworkers, he told me he was interviewing candidates at Amazon and I wisecracked, "You should have the candidates write atoi... in x86 assembly!" Again, we chuckled.

Well, it turns out I have a degree in computer engineering and outside of electrical engineering classes during my undergrad, I had an engineering class involving the use of a microcontroller board and having to write assembly code for the labs. So that evening, I took on my own challenge, i.e., writing atoi in x86 assembly. Nowadays I work in the network engineering space so this isn't something I do on any active basis, even so, before too long, I wrote code that follows below (no "googling" involved here).

The experience back then gave me an invaluable understanding in computing that few achieve today. That's why when security advisories come out calling out arbitrary code execution, the advisory doesn't simply go in one ear and out the other. Which is a segue for an anecdote -- once a vendor in a large IT security fair was demonstrating his product and he asked a room of about 150 IT professionals, "Anyone here know what a NOP sled is?" and I was the only person who raised their hand...

atoi: push ebp
      mov ebp,esp ; Establish stack frame for args

      push ecx    ; Counter for strlen
      push edx    ; used in another loop
      push esi    ; index for loop
      push edi    ; Used for multiplying powers 

                  ; of 10
      
      mov esi [ebp+1]
      mov ecx, 0 

str_len_loop:
      cmp 0, [esi]
      je len_end
      inc ecx     ; will hold strlen at loop's end
      inc esi

len_end:
      cmp 0, ecx           ; Anything to convert?
      mov eax, 0           ; If not, return 0, like

                           ; C stdlib

      je atoi_end          ; if ecx == 0 we're done

      lea esi, [ebp+1]+ecx ; Point ESI to end 

                           ; of string passed to us
      dec ecx

      mov edx, 1           ; Start with lowest

                           ; order power of 10
      mov edi, 0

core_loop:
      lea eax, [esi]-30    ; non-destructive add
                           ; *esi has a single digit 

                           ; ASCII char subtracting 
                           ; 0x30 leaves us with 
                           ; digit for that power 
                           ; of 10

      mul edx              ; MUL multplies EAX 

                           ; with arg

      lea edi, edi+eax

      mov edx, eax
      mul 10
      mov edx, eax         ; Have next highest 

                           ; order power in edx

      dec ecx
      cmp 0, ecx
      je core_loop_end
      dec si
      jmp core_loop

core_loop_end:

           
      ; When everything is said and done EDI will 

      ; hold value to return

      ; Canonically returns values are passed back 

      ; via EAX

      move eax, edi

atoi_end:
     
      pop edi
      pop esi
      pop edx
      pop ecx
      pop ebp

      ret

Friday, August 23, 2013

The Time Has Come

Microsoft's Steve Ballmer announced today that he would be stepping down as Microsoft's CEO in the coming year. 

The reasons are many but in short, things have not been going well for Microsoft when viewed through the lens of long term planning. I will direct the reader to something I wrote back in February of 2010:

How Microsoft Lost the Platform War

That very same month, here is what ZDNet's Ed Bott had to say:

Can Microsoft close the app gap with Apple's iPad?

Excerpt:

Microsoft has been refining for the past decade, and I can confidently predict that Apple will do a much better job of implementing those features than any of Microsoft's partners have done so far.
.
.
Nearly eight years after its introduction, the Tablet and touch technology in Windows is nothing short of spectacular, especially the parts that recognize handwritten input. And yet it's still nearly impossible to assemble a full suite of Windows apps that were designed to work well on a touch-enabled PC.

In reading Mr. Bott's words, you get the sense that he sees the future back in 2010 as clearly as knowing the sun will rise the next day. But if you carefully read what Ed Bott wrote it is less about prophecy and more about observing a company not wanting to change the status quo, for in his opening statement he says:

I've owned a succession of Tablet PCs over the past roughly seven years, nearly as long as they've been around.

In other words, Microsoft was dabbling with new forms of computing for many years. It just never had the vision or the moxy to cannibalize its own products:

“If you don’t cannibalize yourself, someone else will” -Steve Jobs

Moving to the present day, Dell this past week announced terrible earnings:

Dell Profit Falls 72% On Flat Revenue

Hewlett Packard noted that sales of PC continue to contract:

HP posts revenue decline as PC sales weaken further

And office supply retailer Staples did not have words of comfort for Microsoft's future in the consumer space:

Staples supplies bad news on PC sales

All of this bad news has been underscored by the extremely poor showing that was Microsoft's first direct attempt to compete with Apple in the tablet space:

Microsoft's $900 million Surface RT write-down: How did this happen?

So the news that Ballmer is stepping down is not completely shocking. Perhaps it is shocking in the general sense as many CEOs have sent his/her company into the grave (or on the path to it) before yielding. RIM anyone? When the iPhone was launched in 2007 Nokia's CEO likened Apple to a flea buzzing around its major market share. How times change.

Therefore I applaud Mr. Ballmer's decision for having the humility to accept change. It's simply time.

Saturday, November 24, 2012

"I don't need car insurance since I only drive to places familiar to me"

It has been a while since I have made a post but in the past month I've had the same conversation with two different people where the underlying logic was akin to the title of this post:

I don't need car insurance since I only drive to places familiar to me

Both are people who actively use technology and one happens to manage a fleet of server systems. What was the topic? Desktop security while browsing, i.e. avoidance of malware. I was encouraging a certain approach to browsing which I have already talked about on this blog. I've heard many arguments on this front which are usually just masks for hope as a strategy (which it isn't, i.e., hope). They feel comfortably ensconced with I only use browser 'X' for my finances or I only visit trusted sites. Unfortunately such thinking is akin to the latter statement about car insurance. Here's why:

http://arstechnica.com/security/2012/11/new-linux-rootkit-exploits-web-servers-to-attack-visitors/

The latter case is classic pharming. The idea being that unlike phishing where you spray/send malware randomly by various means, often email, to users and hope someone falls for it, in pharming you poison the water well as it were and have a greater chance of something sticking simply because the malware is being served up by a legitimate web site and the content is actively being processed by a web browser.

In the case of phishing multiple approaches have been found in the wild. Some comes in the form of spam but various email providers have gotten very good at filtering such emails and as the Internet user base has gotten increasingly tech savvy, the efficacy of this approach diminishes. There are also web sites disguising as legitimate sites trying to trick users into divulging their username and password. With all of these the chances of deceiving someone are much smaller than a situation where every single web page served up by a legitimate web site has malware embedded in it hoping to leverage exploits in unpatched software on the desktops of unsuspecting users up to and including their favorite web browser. Namely pharming.

The example that Arstechnica has brought to light is not new. Ad networks that serve up ads for popular web sites have in the past been compromised and found to be serving up malicious content:

https://threatpost.com/en_us/blogs/major-ad-networks-found-serving-malicious-ads-121210

Then there are cases of more directed attacks where a legitimate site is breached on account of having users with a given demographic profile, in this case, money to pilfer:

http://securityledger.com/web-attacks-target-foreign-exchange-payment-processing-sites/

http://arstechnica.com/security/2012/12/sophisticated-botnet-steals-more-than-47m-by-infecting-pcs-and-phones/

So, it does not matter if you are only visiting the Wall Street Journal or the New York Times or whatever web site strikes your fancy -- if your computer is fetching content on the web, you are at risk. Quite simply, most web pages are an aggregation of content from many, many sources. There is simply no way any individual can police how diligent all these content providers are with respect to their computer security maintenance and security policies.

These are the two tools I encourage everyone to install:

http://mastercobbler.blogspot.com/2010/09/microsofts-enhanced-mitigation.html

http://mastercobbler.blogspot.com/2010/06/microsoft-security-essentials.html

This all underscores why the logic of I only visit sites I trust does not work and why I liken it with I don't need car insurance since I only drive to places familiar to me.

Realize that the only computer system that is 100% secure is one that does not exist. So it is all about mitigating the chances of you becoming a victim. Ignorance is bliss until reality comes calling.

Sunday, December 25, 2011

Windows vs. Mac OS X (It comes down to font rendering)

When it comes to which operating system someone likes, it's very much based on what biases that person brings to the table. So no shock that people who have been on Windows for years have numerous complaints about Mac OS X or vice versa.

However, there are differences that have nothing to do with user interface design choices such as toolbars (or lack thereof), keyboard shortcuts, etc., etc. One of the biggest differences between the two platforms is fonts, but more specifically, font rendering. If you've used Windows for years, one of the first things you'll notice as you start using Mac OS X is that things, e.g., web pages, look different and indeed it's not just your imagination. It turns out how Apple renders fonts is different than how Microsoft does it on Windows:

http://www.joelonsoftware.com/items/2007/06/12.html

I became acutely aware of the latter back in 2007 on account of noticing that the Windows version of Apple's Safari browser made pages look different than what I had been accustomed to while browsing with Firefox and IE (before I stopped using it years prior).

Turns out, now that I've had a Mac for the past year, I've reached a point where I prefer browsing on my Macintosh vs. my Windows system because of this font rendering difference (how pages look).

While I would agree with Spolsky that Windows' fonts are easier to read, the difference isn't stunning. Text is clear on the Mac. It's just that Windows uses less anti-aliasing and the pixel contrast, i.e. the individual pixels that make up a single letter, is more pronounced on account of the jaggies. Spolsky also writes:

you'll find that most people don't really know what to choose, and will opt for the one that seems most familiar.

Iterating, after actively using Mac OS X for a year, I now prefer browsing on my Mac. It's created a bias that I would have to say, if I bought a laptop today, it would be an Apple Macbook. (Aside: The Mac I got 12 months ago is a Mac Mini).

While font rendering is subtle, since it is visual and vision is people's primary sense, it's a major anchor for ensconcing people into a comfort zone. And since people are wont to resist change, it's very hard to pry them away from said comfort zone once they gravitate to it. This all means that people dropping Windows in favor of Macintoshes aren't likely to come back anytime soon. As a bad portent for Microsoft, check out the following AppleInsider article that came out last month (Nov. 2011):

http://www.appleinsider.com/articles/11/11/14/mac_sales_surge_despite_slipping_european_pc_market.html

In summary, PC sales dropped double digits in both the UK & Germany and close to 10% in France. But if companies selling PCs in Europe are blaming the global recession, the Macintosh market for Apple in Western Europe grew just shy of 20% year over year. I'll also remind the reader that Apple charges a premium for its hardware.

In closing, while I very much still use Windows 7 on account of Windows Media Center and my XBox360 acting as my DVR (check out the latter video link), nowadays if I'm browsing the web, more than likely it's on an Apple device (my Mac, iPad 2 or iPhone).

Tuesday, September 27, 2011

No, Google's Chrome Browser isn't the fastest browser by leaps and bounds (anymore)

Tech people (like the rest of the homosapiens) are experts at mixing facts with opinion, a.k.a. bias. In my view Firefox by and large caught up to Chrome with release 4.0. Since then it has continued to make great strides...

Yet, I've noticed many people saying "Firefox is bloated, slow, blah, blah, blah, blah, blah". One of them (who I don't know personally) is ZDNet blogger Steven J. Vaughan-Nichols. In short, Steven trashes Firefox with every major release but worships Chrome's every release. Merely juxtapose what he wrote not even one month ago about Firefox 6 when it was released (the Mozilla team this year adopted a fast release cycle like Google's for Chrome):

http://www.zdnet.com/blog/networking/firefox-6-a-firefox-too-far-review/1380

Now compare that with what he wrote about Chrome 14 which came out a few days ago:

http://www.zdnet.com/blog/networking/chrome-14-the-best-web-browser-keeps-getting-better-review/1469?tag=search-results-rivers;item3

There's opinion, "Firefox is bloated", then there's reality, Lifehacker just juxtaposed Firefox 7 with other major browsers:

http://lifehacker.com/5844150/browser-speed-tests-firefox-7-chrome-14-internet-explorer-9-and-more

Going back not even a month ago Tom's Hardware did JavaScript performance tests comparing the major browsers:

http://www.tomshardware.com/reviews/web-browser-performance-standard-html5,3013-9.html

In terms of JavaScript performance, Firefox 6 beat Chrome 13 in 4 of 5 tests. And today Firefox 7 was released. In closing, if your frame of reference of Firefox is anchored in the distant past, you should look again. Beyond that, if the plugins you've used under Firefox have memory leaks, crash Firefox, etc., etc., that's not the Mozilla team's fault.

I should also point out that Firefox for many years has supported HTTP Pipelining. Chrome to this day does not support HTTP Pipelining which is part of the HTTP 1.1 specification that came out 10+ years ago. Chrome does feature an alternative called SPDY however this is not part of the HTTP specification and you will only benefit from this if you are visiting Google web properties. The only popular browser that readily supports HTTP Pipelining is Firefox. One notable benefit is that as your connection latency goes up, e.g., 3G aircard, tethering on your laptop or God forbid, dialup, performance improves. If you find yourself browsing a lot on a 3G connection then Firefox with HTTP Pipelining is for you. Performance also goes up as the number of distinct elements that need to be fetched goes up, e.g., lots of images (which translate to that many more HTTP requests).

HTTP Pipelining is the first thing I enable when I have a new Firefox profile. In the address bar simply type "about:config", search for "pipe" then set network.http.pipelining to true. I also change network.http.pipelining.maxrequests to 7.

Sunday, September 12, 2010

Microsoft's Enhanced Mitigation Experience Toolkit


A week ago Microsoft released version 2.0 of EMET (Enhanced Mitigation Experience Toolkit):

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04&displayLang=en

Don't know what EMET is? I highly suggest you use it to launch applications that talk on the Net, in particular your browser. Here's a very technical video from Microsoft that talks about EMET:

http://technet.microsoft.com/en-us/security/ff859539.aspx

Let me give you a sample scenario. You visit a legitimate site that you've used for ages which unbeknownst to you, ads being served up are coming from a compromised ad server (a scenario which by the way has happened many times). The malware then attempts to leverage an arbitrary code execution flaw. Unfortunately for you, you're not very diligent about keeping your system up to date or you've ignored updating your system because well, "I'll do it later." Malware sent your way succeeds in leveraging an arbitrary code execution flaw that just surfaced with your browser of choice two days ago installing a backdoor and thus gaining complete control of your computer at which point the remote attacker can take whatever files they please, use your computer as part of a spam network, denial of service network, etc, etc. In short, your system is completely at someone else's mercy and you don't even know it. Let's take a more optimistic scenario. You're on a fully patched Windows 7 system with UAC enabled so you're safe (usually) from getting your machine taken over but malware comes in through your browser which isn't patched. You don't have the latest browser revision because you've put it off, turned off auto-updates or worse, there's no patch for an exploit that has surfaced. You're then unfortunate enough to visit a site with malware and a recent exploit is leveraged introducing rogue code into your system. That code is at the very least capable of reading and modifying files you use day to day. Whether they be explicit documents (such as MS Word) or implicit documents (the cookies in your browser). Unfortunately, your browser doesn't prevent the malicious code from reading any file(s) belonging to you, in particular, browser cookies. After which, someone starts going into your various online accounts with your active cookies (which were conveniently sent to them over the Net) to see what they can find.

So how do you use EMET?

1) Go to the first link I provided - download and install EMET
2) After launching EMET hit the Configure Apps button in the lower right
3) Hit the Add button on the dialog box that comes up and specify the path to an executable you would like to protect, e.g.:

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

4) Hit the Open button on the file browsing dialog (aka OK).
5) Restart the application in question, in this example, Firefox

(Look at blog post image)

Firefox is now protected from a variety of attack vectors often used in arbitrary code execution. The video elaborates on them quite well.

Whereas RemoveAdmin (a security tool that I authored) is all about leveraging OS level security, Microsoft's EMET is about maintaining the integrity of processes and thus, at the very least, providing application level security, e.g., your browser cookies. At worst, if you have an unpatched system (the OS) you could find yourself with a system that's been botted, has had a keyboard logger installed, etc., etc.

In my particular case, I not only have added the browsers I use day to day to EMET (Chrome, Firefox), I've added all applications I regularly use that talk on the Internet. In particular, iTunes, WinAmp, Outlook, Adobe's PDF reader, Windows' Media Player and Apple's QuickTime player. The links I've provided in the previous sentence point to security advisories for each of these applications they are not links to the products' respective web pages. If you have doubts about what I'm saying, just visits those links. Yes, as hard as it for a lay person to comprehend, you can have your system compromised by watching a video pulled off a web site. This is why you should start using EMET today. In short, I will never launch my browser from here on out without this tool.

Finally the following article surfaced after my initial blog post. Here's a scenario where an exploit of Adobe's PDF reader has surfaced, Adobe itself doesn't yet have a patch but through the use of EMET the exploit is short-circuited: