IE 9 puts Microsoft back into the browser game

Get a free jumpstart on using Windows 7

We like to give our loyal Windows Secrets subscribers a little something extra when we can.

This month, every Windows Secrets subscriber can download a one-chapter excerpt of Windows 7: The Missing Manual by David Pogue.

Pogue’s invaluable book provides essential information you’ll need to make the most of Windows 7. It covers topics such as navigating the desktop, Window’s apps and gadgets, and even backing up your files.

Exclusively for Windows Secrets subscribers, O’Reilly Media is providing a free excerpt: Chapter 3, Searching and Organizing your Files. It delves into topics such as Windows Search, icons, moving and copying files, and burning CDs and DVDs from the desktop.

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

IE 9 puts Microsoft back into the browser game

By Woody Leonhard

Internet Explorer has been a distant third-string player to Firefox and Chrome for so long, we thought it could never catch up.

But with a slick new interface and enhanced Windows 7 features, IE 9 — now in public beta — just might put Microsoft back at the top of the browser game.

For the past four years, I’ve sung the praises of Firefox, going so far as recommending it in all of my books. I’ve used Firefox and, more recently, Google’s Chrome almost exclusively. But last week, a friend of mine started shouting online, “Ya gotta see this! Microsoft’s come up with some great new stuff!” My reply? “Yeah, sure.”

A few months ago, I played with an early beta version of Internet Explorer 9. It left me cold — more of the same old IE stuff, piled higher and deeper. Meh.

Microsoft released the public beta (info site) of IE 9 last week, complete with a heavily rejiggered user interface and a number of much-hyped enhancements. And after trying it for a few days, I have to admit that I was impressed — so impressed that I’ve continued to use it, from time to time, even when I don’t have to.

I’m not going to bore you with a recitation of the IE 9’s list of new features. Microsoft’s patented marketing machine has churned out more info than you’ll ever want or need. Instead, let me point out what I think shines in IE 9 — and what still leaves me cold.

Oh, and by the way: it’s true that Internet Explorer 9 will not run on Windows XP.

Tab dancing with the new IE interface

Although Microsoft touts it as one of IE 9’s greatest inventions, I’m ambivalent about the browser’s new tab interface. I think it’s cool — but in a limited way.

Let’s start with tear-away tabs. Firefox and Chrome have had them for ages. When you click on a tab and drag it, the tab blossoms into its own browser window. Drag the new standalone tab back to its original window, and the tabs go back to their previous location. In Version 9, Internet Explorer finally does this, too. But IE 9 has an additional trick up its sleeve.

If you drag the favicon — the tiny icon to the left of the Web address — onto the Windows desktop, Windows creates a shortcut to the Web site. You knew that already, yes? Double-click on the shortcut, and Windows fires up your browser and takes you to the site. Windows has done that forever, with all the major browsers.

New to IE 9 — and currently unique to IE 9 — is the ability to drag a tab to the Windows 7 taskbar. When you drop a tab onto the taskbar, you pin the site to the taskbar (as with the Dummies site shown in Figure 1), just as you would pin programs. (Currently, you can drag a Web site in the browser’s search/URL address bar — but not a tab — and pin it to your default browser’s taskbar icon.) This new feature makes launching sites you go to everyday, such as windowssecrets.com, just a little faster.

Figure 1. You can pin individual Web sites to the Windows 7 taskbar.

When you click on the newly created icon in the taskbar, IE 9 appears with the site’s icon on the left side (note “Mr. Dummy” to the left of the left-pointing arrow in Figure 1); the forward-and-back arrows take on the color of the icon. If you click on the site’s icon, you’re returned to the site, just as when clicking on the IE 9 Home icon.

I wouldn’t call that a breakthrough innovation, but it does show some ingenuity. Chrome 6 has, for a long time, had a similar feature called Application Shortcuts (click the Tools icon, choose Tools, Create Application Shortcuts), but it doesn’t work as well.

Pinning a site on the Win7 taskbar is neat, but it doesn’t hold a candle to the revolutionary new Tab Candy, er, Panorama feature that’s evolving in the Firefox 4 betas. Panorama lets you group tabs together, stick them out of the way, and bring them back as a group. It’s a slick way to combine related tabs in a set and switch sets as you change tasks or topics. There’s a good overview of Panorama on Aza Raskin’s blog. I’ll have a more thorough review in a forthcoming Top Story, after the final feature set has shaken out in Firefox 4.

Quicker graphics, faster Java — and HTML5

Every browser claims to be the fastest, and every browser manufacturer can whip out studies (possibly bought and paid for) that prove theirs runs rings around the competition. Performance numbers for beta software can never be trusted; that said, IE 9 really does feel fast.

A new, faster JScript engine called Chakra and hardware-based graphics acceleration probably account for the browser’s improved speed — especially the latter, which uses your PC’s graphics processing unit’s (GPU) oomph to offload work by the system’s main CPU. At this point, IE 9 and Firefox are both showing some impressive results with GPU acceleration.

Google doesn’t have much acceleration built into Chrome 6. But whoa Nelly, watch out for Chrome 7! In a Chromium blog, Chrome’s engineers claim they have a fancy 2D canvas acceleration feature that will make Chrome 7 run 60 times faster than Chrome 6 in some benchmark tests. Makes one wonder whether version 7 is that much faster or 6 is that much slower.

HTML5 may add another component to IE 9’s quickness. A new (and still-emerging) standard, HTML5 allows Web designers to bring animation to their sites without relying on Adobe Flash or Microsoft’s Silverlight. With properly constructed HTML5 tags, plus a browser that can translate those tags into commands run directly by your PC’s graphics card, HTML5 should make graphics-intensive Web browsing fast indeed.

Microsoft’s way behind the pack on adopting HTML5; Firefox and Chrome have been adding HTML5 features for several versions. (There’s a good HTML5-compatibility comparison on the “When can I use …” site.) Still, I give Microsoft two thumbs up (if I could grow another hand, I’d make it three) for embracing HTML5 at the expense of both Flash and Silverlight. Some day — maybe not in the next year or two, but some day — those almost-weekly Flash patches and hidden Flash cookies (described in my August 5 Top Story) will become a thing of the past.

Comparison tests for IE 9, Firefox, and Chrome

You can download beta versions of the three most popular Web browsers from their respective sites: IE 9, Firefox 4, and the somewhat-less-stable Chrome 7 Canary build. On its “Exploring IE” blog, Microsoft claims it dished out two million copies of IE 9 in the first two days.

However, before you download and install these betas, keep in mind that they might not work with most current browser add-ons. I recommend you do your testing on a second, nonproduction machine.

If you want to run side-by-side tests, I suggest this regimen:

Start with a quick and automatic browser/HTML5 compatibility test at Niels Leenheer’s site. When I tested the IE 9 public beta, it came up with a raspberry-generating 101 points out of 300 (including bonus points). Firefox 4, beta 6, pegged 213; Chrome 7 Canary build rang in with 253 points. (Browser manufacturers will give a million reasons to justify their lagging scores — some of which, no doubt, are valid.)

Then try Google’s HTML5 showoff site, “HTML5rocks.” Look at the samples in the Studio section with all three browsers. I bet you’ll find that some samples work in IE 9 and Firefox and some don’t — but (ooooh! aaaaah!) they all work in Chrome 6 — and most work in Chrome 7 Canary.

Next, give Microsoft the benefit of the doubt and run the “Test Drive” speed tests on the Internet Explorer 9 Beta info page. Of course, it will demonstrate that IE 9 runs rings around Firefox and Chrome. You expected different? Still, the specific test and demos are impressive.

Finally, turn to Microsoft’s IE 9 “Beauty of the Web Experience” site and click through to see some fabulous HTML5-based sites.

Living with Internet Explorer 9’s foibles

IE 9, in its current beta form, has a couple of user-interface characteristics that bother me.

I understand that Microsoft wanted to reduce the browser’s overall clutter — to let the Web sites shine through while the browser fades into the background (in other words, to make IE look more like Chrome). But even after working with it for a while, I still don’t understand why MS put the address bar on the same line as the tabs. If you get more than a handful of tabs, the address bar shrinks to the point where it’s unusable.

What’s more, the address bar is now the Search bar, too — and I frequently find myself wondering exactly what key words I was searching on, when the search string gets long. Perhaps it’s just a senior moment, but Firefox and Chrome both leave me plenty of room for refining a search. I bet MS changes that before IE 9 ships.

The new download manager may be skimpy — but it’s sure a lot better than nothing (which is what we’ve had through eight versions of IE). I just wish there were a way to change priorities when downloading more than one file, so I can have IE 9 devote more bandwidth to the file that I want first. I also had trouble with grayed-out Pause buttons, but that might just be the beta blues.

Based on my look at IE 9 beta, I believe this will put Microsoft back into the browser game after a long time playing catch-up. But it won’t take on a commanding lead. Firefox’s Panorama looks like a groundbreaking new feature. Chrome’s updating so quickly, it’s likely that IE will go back to eating dust not long after it sees the light of day. Know what I like the most about IE 9? It’s going to make Firefox and Chrome (and possibly Opera) better, too. That’s good for everybody.

Woody Leonhard‘s latest books — Windows 7 All-In-One For Dummies and Green Home Computing For Dummies — deliver the straight story in a way that won’t put you to sleep.

Password security in Firefox and other browsers

By Keely Dolan

Popular Web browsers will often remember passwords to visited sites — but at what cost to security?

Keeping track of the dozens of passwords we use is a hassle, so most of us blithely trust the password managers built into almost every browser.

But in his thread titled “Firefox and passwords,” Lounge member James Viner sparks a discussion on the security of browser password managers — specifically in Firefox and Chrome. More»

The following links are this week’s most-interesting Lounge threads, including several new questions that you may be able to provide responses to:

☼ starred posts — particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right in to today’s discussions in the Lounge.

The Lounge Life column is a digest of the best of the WS Lounge discussion board. Keely Dolan is a Windows Secrets Lounge administrator.

Error messages orchestrate beautiful music

By Keely Dolan Who could ever argue that Windows error messages and BSODs are things of beauty? No, they’re more often associated with a sudden rise in blood pressure and the overwhelming desire to whack your computer with something hard — like a hammer! But this offbeat video demonstrates that error messages can make beautiful music — as you’ll hear in this symphonic arrangement compiled completely from Windows XP error sounds. It just proves that using even the ugliest brush can lead to a masterpiece. Play the video

Making sense of Windows' confusing RAM stats

By Fred Langa “Available RAM” statistics can be confusing and even lead to poor hardware decisions. But once you know what the numbers really mean, you can make an informed judgment about your PC’s RAM requirements.

Is 4GB of system memory a poor investment?

Chris Coddington was seriously bugged about a recent discussion of installed RAM versus available RAM, and I can’t say I blame him. It can be baffling.

• “Your August 19, 2010, article, ‘The not-so-strange case of missing RAM,’ got my attention. And then more attention on the forum.

  “When I purchased my system running the infamous Vista, it came with 1GB RAM. There was no doubt that 1GB was insufficient. I found what I could about increasing memory, and the consensus seemed to be that while 4GB would be nice, very little of it would be available. In fact, [after installing 4GB] I have only about 2GB available.

  “I see a statement on the forum which says that 1GB is lost to I/O pages. And in a quote included by Andy Rowlands, he indicates that we should expect to get only 2.2GB with 4GB installed. That makes 4GB a total waste of money!”

It can look that way, Chris, but things aren’t as they seem. Let’s walk through it:

As you discovered, standard 32-bit Vista (and Windows 7) will run on a PC with 1GB of RAM. The OS will shoehorn itself in alongside essential hardware drivers and services. (See the previously cited article for a discussion of how your system allocates RAM for hardware drivers, low-level services, and the OS itself.) When additional memory is needed, Windows will use the hard drive’s pagefile (swapfile). Performance won’t be great, but it’ll work.

If you add 3GB of RAM to that same system, bringing it to 4GB total, you might think that the extra 3GB would be tacked on as empty and available. But were that the case, Windows and all the necessary drivers, low-level services, etc. would have to remain confined to that original 1GB of RAM. You’d still have the crappy performance of a 1GB system with the other 3GB of extra RAM just sitting there, unused. What would be the point of that?

When you a run 32-bit Windows system in a 4GB system, Windows sees the additional RAM and uses it to operate more efficiently. Roughly half of the RAM is set aside as a place to store frequently accessed code and data — for Windows itself and other system-level software. Windows relies less on the slow, hard drive–based pagefile for low-level memory functions, and that makes the whole system more responsive .

The rest of the RAM is held in reserve for user-initiated tasks such as loading your applications and documents into memory.

It seems counterintuitive at first, but when a 4GB system shows only around 2GB of free RAM, that’s exactly what you want! Windows is using the new RAM you bought and paid for. If the RAM were sitting there, empty and unused, it’d be doing you no good at all. Idle RAM is wasted RAM!

Incidentally, those software utilities that promise to “free up your RAM!” are a scam. As I just noted, the last thing you want is for RAM to lie empty and unused. These utilities are actually working against you by moving code and data out of fast RAM and onto the much slower hard drive. D’oh!

So, let Windows manage your RAM. Your 4GB investment will not go to waste.

Best way to clean out unneeded program files

Dick Parker wants to clean up his system.

• “In going through my computer (following the recommendations given in your excellent Aug. 12 article, “Preparing Windows XP for the Long Haul”), I found many files and folders in C:Windows and C:Programs that I couldn’t identify and was afraid to delete. Is there a source or easy and safe method for identifying unwanted or unnecessary files?”

With few exceptions, the programs in those two folders are put there by various installation routines. The best way to remove programs from those folders is by the reverse method: uninstall routines.

Control Panel makes it easy to uninstall software, most of which resides in your Programs folder. If you’d like an uninstall refresher, Microsoft Support article 307895 explains the process. (Dick’s using XP, so I’ll focus on that. But the process in Win7 and Vista is nearly identical.)

Many Windows users might not realize this, but Control Panel also lets you uninstall many Windows components from the Windows folder tree. In Control Panel’s Add or Remove Programs applet, look in the left-hand pane and select Add/Remove Windows Components. This opens the Windows Component Wizard (see Figure 1).

Figure 1. The Windows Component Wizard lets you remove (or add) various operating system components.

You can then deselect (uncheck) any Windows components you don’t want or need, and Windows will uninstall them for you. This will remove them from the C:Windows folder.

That’s usually all it takes. But if you still think there are unneeded files left on your system, most of the clean-up utilities we’ve regularly discussed — such as CCleaner and jv16PowerTools — have their own uninstall routines that can track down and remove even broken, stubborn, or otherwise hard-to-uninstall software. Combined with their built-in registry-cleaning functions, these utilities can help you get unwanted software off your system cleanly and completely.

Waiting, waiting, waiting for system shutdown

Ron is tired of waiting for his PC to turn off.

• “When I go to turn off my computer, it takes a long time to shut down. Sometimes I have to force the shutdown. What can I do to fix this?”

In software terms, a system shutdown is mostly a startup in reverse. Many of the same things that cause slow startups also can cause sluggish shutdowns.

I suggest you begin by working through my July 22 column, “A step-by-step guide for improving boot times.” Odds are, some of the fixes there will also speed your shutdowns.

The other main cause of slow shutdowns is software components that won’t let go, that don’t respond to the shutdown command issued by the operating system.

Drivers are frequently a problem, especially with XP. (Vista and Win7 are better at recognizing — and sidestepping — unresponsive drivers at shutdown.) For information on getting all your drivers up to date, see my Sept. 16 item, “Best updated-driver source for brand-name PCs.”

Because this is mostly an XP problem, here are two additional articles on troubleshooting slow shutdowns with that operating system:

• Ahuma.org’s article, “XP Shutdown & Restart troubleshooting”
• Windowsnetworking.com’s tutorial, “Troubleshooting Windows [XP] shutdown problems”

Keep your PC’s system clock unerringly accurate

Internet time servers broadcast a precise timing signal you can use to keep your PC’s clock extremely accurate. That is, when everything works properly.

• “Unless I’m wrong, Microsoft’s default time server (time.windows.com — used by Windows users to keep a PC’s clock synched) has been down lately, and it hasn’t worked reliably for some time. Please investigate. Thanks. — Derek”

I’ve seen it fail, too, especially when a gazillion PCs try to synch all at once. Peak times seem to be around the start of the business day in each time zone and around special dates such as New Year’s. But that’s not just a Microsoft problem: when any time server gets busy, you may be unable to synch.

However, there are easy ways to avoid this.

Windows’ built-in time-synching utility normally tries to go online for a time check every seven days — at the same time of day as the initial check. You can take advantage of this process by doing a manual synch at a less busy time of day. Pick an oddball moment — say, 10:53 a.m. or 8:13 p.m. or something equally random. Windows will remember and reuse that same time for future synchs.

Don’t try to synch at the start of the business day or at 12 noon or at other times when it’s likely that many other PCs are being synched. By avoiding the busiest periods, the Windows time server is usually available and responsive.

You also can use a time server other than time.windows.com. XP has one alternate time-server address built in; Vista and Win7 have four. (See Figure 2.)

Figure 2. Windows’ built-in time-synching utility can synch your PC’s clock with the time server of your choice.

You can also manually enter any time-server address you wish. For example, see the National Institute of Standards and Technology’s (NIST) Web site list of official (and free-to-use) time servers.

You can’t beat the accuracy of the government servers: the NIST timing signal originates with the U.S. Naval Observatory’s U.S. Master Clock (info page). The clock is actually a distributed collection of incredibly precise cesium-atomic clocks and a dozen hydrogen-maser clocks whose composite signal is accurate to within 100 picoseconds (0.0000000001 seconds) per day!

For more info on time synching in Windows, see:

• XP: Microsoft’s support article 307897, “How to synchronize the time with the Windows Time service in Windows XP”
• Win7/Vista: On Microsoft’s “Set the clock” page, scroll halfway down and expand the topic, “Synchronizing with an Internet time server”.

Your PC’s clock will never be picosecond-precise, of course, but regular synching with a free time server should keep your PC’s clock accurate to within a fraction of a second!

Fred Langa is a senior editor of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Share with Buzz (but hopefully not too much)

By Scott Mace In their headlong drive to steal some of Facebook’s thunder, Microsoft and Google incorporate some highly questionable social-networking features into their popular e-mail services. Google’s Buzz comes under the most fire, with many privacy experts and Internet users deeply concerned that it plays fast and loose with personal privacy. There are some important facts all Gmail users should know.

Buzz stumbles badly out of the gate

If you’ve followed with trepidation Windows Secrets’ May 20 Facebook and April 22 Hotmail Top Stories on social networking and personal privacy, you’re probably like me: reluctant to try out Google Buzz — a sort of social-networking add-on for Gmail, Google’s immensely popular e-mail service.

Google Buzz debuted Feb. 9, 2010. Like its competition (Facebook and Windows Live), it’s all about sharing stuff online with your friends, family, and other acquaintances — life events, photos, videos, and more. And it’s all connected to Gmail.

As the Buzz site says, your comments about your life and others’ lives appear “right in your inbox so it’s easy to keep the conversation going.”

But not everyone is happy about that level of conversation. During the initial release of Buzz, Google had allegedly made the private e-mail contacts of Gmail subscribers publicly available without their consent. Gmail users filed a class-action lawsuit. Google made privacy changes soon after the problems came to light, but for the plaintiffs, the damage was already done.

As part of the ensuing U.S. $8.5 million settlement agreement made this month, the funds would pay the attorneys (the only real winners, as usual), compensate the lead plaintiffs, and establish a fund for “existing organizations focused on Internet privacy policy or privacy education.”

Add to that a formal complaint the Electronic Privacy Information Center (EPIC) filed with the Federal Trade Commission, and Buzz was off to a very rough start. This complaint is still pending — even though you have to opt in to use Buzz and the service no longer automatically makes private e-mail contacts publicly available.

EPIC’s complaint, posted on its Web site, contends that users are still unaware that they are creating a public profile with their first use of Buzz.

“The [Google Buzz] welcome screen still does not make clear that the user must create a profile that would be public and indexed by search engines. The screen only states, ‘The first time you post in Buzz you’ll create a profile which includes the list of people you follow — you can choose not to display this list if you like.’ Finally, Google has not announced any changes to the pop-up screen that appears when a user initially posts on Google Buzz. Therefore, users are still unaware that showing the user’s connection means showing connections publicly to everyone, and having them publicly indexed by search engines.”

Using Gmail to manage social networking

Given the fierce competition from Facebook and Windows Live, it’s no surprise that Google continues to integrate social networking into Gmail and its other applications. Days after the class-action lawsuit was settled, Google chairman/CEO Eric Schmidt revealed that more such features are coming before the end of 2010. In a TechCrunch story that includes a press-conference video, he stated, “We’re trying to take Google’s core products and add a social component” — with the goal of improving Google search results. In other words, Buzz will be the glue that holds Google’s social networking together.

At this point, Buzz still lacks the level of privacy controls available in Facebook and Windows Live. (See Figure 1.) To learn just what I could control, I fired up one of my infrequently used Gmail accounts.) I probably hadn’t signed into it since Buzz was introduced.) When I signed in, the first screen was an invitation to try Buzz.

Figure 1. Google’s Buzz offers primitive privacy controls, compared to Facebook and even Windows Live.

After I accepted Google’s invitation, the next stop was a “Welcome to Google Buzz” screen with an optional two-minute Buzz video extolling the product’s many social-networking virtues. But it all boils down to this: you can send your shout-outs, updates, and links just to the friends you choose (and that Google recognizes), all from within Gmail (and soon, presumably, from other Google apps as well). Like Buzz, Facebook lets you limit updates to individual friends; it also allows you to limit updates to the larger friends of friends circle.

As the Google promo states, “It’s built right into Gmail and uses the friends you’ve already made, so there’s nothing to set up. You’re automatically following the people you e-mail and chat with the most. You can choose to share publicly with the world, or privately to a small group of your closest friends.”

Should you want to know more about Buzz’s privacy settings, you’ll find them in a Buzz tab on the general Gmail settings page. You’ll find Buzz’s full privacy policy on a separate page. To give Google credit, it’s a document that is remarkably brief and readable.

Four concerns about Buzz’s privacy policy

After reading through Buzz’s privacy policy, I advice caution in four areas. (The emphasis in the quotes is mine.)

• 1. Under Personal Information: “If you are following someone who publicly displays their list of followers on their Google profile, then you will appear on that person’s public list. Likewise, if someone is following you and displays the list of people they follow on their profile, then you will appear on that public list.”

  Before you start following someone’s Google Buzz feed, check to see whether that person publicly displays a list of followers on his or her Google profile. If so, you’re going to appear on that list. I guess that’s the whole point of Buzz, but wouldn’t it be nice if you could follow others yet not appear on those lists? Not possible — at least not yet. And if someone decides to follow you, you’ll appear on the list of people they follow; there’s no way to turn that off, either.

  Eventually, Google will have to implement more-finely grained controls to satisfy the wide range of privacy preferences. In the real world, preferences vary according to the types of relationships you have with your correspondents.

• 2. Further down: “If you use Google Buzz on a mobile device and choose to view ‘nearby’ posts, your location will be collected by Google. If you use a mobile device to create a post which shares your location, then your location will be collected by Google and displayed to other users, as described when you first attempt to use Buzz on a mobile device. You may thereafter opt out of the collection and display of your location on a per-post basis or choose to exclude your location from all of your posts, except when you’re creating a Buzz post in a Maps product where you’re publishing the post on a map.”

  It makes no sense that in mobile posts, you opt out of revealing your location after you’ve made your first post. This should be a setting you can set before your first post. I think this speaks to one of EPIC’s remaining concerns.

• 3. In the Uses section: “If you use Google Buzz on a mobile device, we may display your location-based posts to users who seek to view Buzz posts ‘nearby’ the location where you created your update.“

  Why can’t you tell Google not to display your location to nearby Google Buzz users? If this disturbs you as much as it does me, consider not using Google Buzz at all from a mobile device.

• 4. In the Your Choices section: “If you chose to delete your Google profile, your Buzz posts will be deleted, but the comments and ‘likes’ you have made on other people’s posts will not be deleted. You have the option to remove your comments on others’ posts individually if you’d like. Residual copies of deleted material may take up to 60 days to be deleted from our active servers and may remain in our backup systems.”

  It’s maddening that you can remove your Google Buzz posts individually but not all at once. But in fairness, if you’ve posted a comment somewhere, it’s unrealistic to expect that comment not to live on (through archive.org’s “The Wayback Machine” archive system, if nowhere else).

Google Buzz, like its social-networking competitors, is here to stay. But Buzz still has a long way to go before its privacy settings provide the level of control most users wish to have. And even when the current controls are set to your satisfaction, you’ll still have to keep track of what you’ve posted: with each post, Buzz will ask whether you want to post to the Web or to the individuals and groups of your choosing.

One other note. Recently, Google added the ability to log into more than one account at a time. With this feature, you can toggle back and forth between two Gmail inboxes or two Google Calendars. When you do this, Buzz will function only in those accounts that have it turned on. I am relieved to see that Buzz is sandboxed in that way. You can easily confine your Google Buzz use to just one account.

Even so, most users will welcome more privacy safeguards in the future.

Scott Mace is a tech and health care journalist based in Berkeley, California. He hosts the IT Conversations podcast “Opening Move” and writes a blog at CalendarSwamp.com.

Home-router vulnerability revealed at Black Hat

By Robert Vamosi A report delivered at the 2010 Black Hat security conference detailed how hackers can exploit a firmware flaw in some popular home/small-business routers. As if there were not enough ways to attack PCs, users should add this DNS vulnerability to their security checklist.

Hacker puts a new spin on rebinding attacks

For PC users, one of the more interesting discussions at this year’s Black Hat/DefCon security conferences (the largest and arguably best yearly U.S. security meet-ups) concerned security flaws in routers — the hardware I discussed in my latest Windows Secret Security Baseline update.

In a talk titled “How to hack millions of routers,” Seismic security researcher Craig Heffner demonstrated how a hacker could gain access to a common home router — then launch attacks on other devices on the router’s network or redirect a user’s browser to a malicious site.

Heffner found that, out of 30 popular routers he tested, at least 17 were vulnerable. Fortunately, none of these was recommended in the Security Baseline article.

The method of attack is through Domain Name System (DNS) rebinding (more info), a vulnerability known for some time. (IOActive researcher Dan Kaminsky spoke about DNS rebinding at the 2008 Black Hat.) Most browsers have built-in protections against rebinding attacks, but Heffner wrote a script that cleverly sidesteps those protections.

Whose router is vulnerable, whose is not

Included on the vulnerable list are several models of Linksys routers, including the popular WRT54G. (Hardware-version 3, firmware 3.03.9 is vulnerable, but the newer hardware-version 5, firmware 1.09 is not.) A Forbes blog includes a list of vulnerable models.

In the WS Baseline Security update, I recommended several home routers. The models listed below (with links to their information pages) are not, according to Heffner, vulnerable to his particular attack:

• D-Link DGL-4500 Xtreme N Gaming Router
• D-Link DIR-825 Xtreme N Dual Band Gigabit Router
• Valet M10

Rebinding explained: hijacking IP addresses

Rebinding attacks exploit an element of the DNS process. Whenever you type in a common name — such as google.com — the Domain Name System converts that name into an IP address number (72.14.204.147, for example). Web sites can have multiple IP addresses, which allows traffic load-balancing among a site’s Web servers.

It’s this ability to have more than one address — and the fact that routers must accommodate them — that allows rebinding attacks.

Like many Internet attacks, this one starts when a user is enticed into a malicious site. The user’s browser downloads an attacker’s code (in this case, Heffner’s script) and runs it on the user’s PC. As a safety precaution, modern browsers will run a script only with the site that provided it. That way, a Web script that comes from one site — say, Google — can’t run on another site.

Heffner found a way for a cybercriminal to grab a user’s public IP address and assign it to one of the extra IP addresses for a site controlled by the cybercriminal.

This threat is not browser-specific; Heffner said his script works in Internet Explorer, Firefox, Safari, Chrome, and Opera. The exploit can give the cybercriminal access to any device on the user’s network — including the router and its administration controls.

With remote control over your router, a cybercriminal can perform a variety of malicious operations, including monitoring your Internet traffic.

Heffner’s hack works only with certain routers — those with vulnerable firmware.

Heffner’s spin on the rebinding hack

Heffner’s hack gives a remote attacker inside access to internal devices such as your network router. It also can give the hacker an easy way to take over your router. Most routers’ administration controls are accessed through an attached PC’s browser. And most router owners never get around to changing their router’s administrative password.

Finding those default home-router passwords is trivial. From the “Router Passwords” site, I know that 2Wire has a default administrator name that’s blank; it also has a password of Wireless. D-Link uses a variation of blanks or admin in either position, and Cisco/Linksys uses admin for both the admin name and password.

With this information and a privileged connection from the hacker’s downloaded application to the victim’s internal network, the attacker can easily change router configuration settings and gain even more access to the victim’s system.

To test your own router, Heffner has posted a tool creatively called “rebind” that’s available on a Google Code site.

Techniques for mitigating this type of attack

Heffner’s common-sense, do-it-yourself techniques for preventing an attack include:

• Change your router’s default password. Again, default passwords are easy to acquire and should be changed regardless of whether your model is vulnerable to Heffner’s hack.
• Update the router’s firmware, and do it regularly.
• Don’t trust unknown Web content — including unfamiliar sites and even ads on trusted sites

Heffner also recommends switching to OpenDNS. Most ISPs tell you what default DNS address to use, but you can go into your router’s controls and change them to those provided by OpenDNS: 208.67.222.222 and 208.67.220.220. (Make sure you have working connection to the Internet before making the change.)

Firefox users should also use the NoScript browser plug-in. NoScript suspends any content based on Java, Flash, and ActiveX; it then asks whether you want to download the content. It can stop the type of rebinding attacks Heffner described.

If you are an advanced user, Heffner suggests disabling HTTP and enabling HTTPS within your router. And while you’re at it, disable UPnP. Doing so will also disable some services such as Skype, but Heffner says UPnP is so bad that it shouldn’t be used, no matter the benefit.

WS contributing editor Robert Vamosi was senior editor of CNET.com from 1999 to 2008, writing pieces such as Security Watch, the winner of the 2005 MAGGIE Award for best regularly featured Web column for consumers.