Indistinguishable from Direct Manipulation

The Firefox Tinderbox has been unmanageably wide lately. I wrote a Greasemonkey script, TidyBox, to fix it by moving build results from the table cells to popups that appear when hovering the table cells.

Looking at a screenshot with TidyBox, it's easy to see that exactly one box is orange and that the orange started after the last checkin. With the normal Tinderbox display at the same time, you would probably have to scroll both horizontally and vertically to figure that out.

If you want to see the information about a build while using TidyBox, just hover over the cell. To click links that appear in the popup, click the cell to lock the popup in place and then click the link.

Install TidyBox today and you might never have to scroll Tinderbox again!

Other recent efforts to improve Tinderbox:

• Johnath: Performance Dashboard
• Mossop: Tindermerge
• Vlad: Talos Fix

Brian Krebs recently posted a blog entry, Hiding In Plain Sight, about the continuing problem of executable files disguised as other types of files. Brian explains how to make file extensions visible on Windows XP and wonders why Microsoft didn't make that the default.

But hiding the extension by default is only part of the problem. Most users can't be expected to memorize the meanings of dozens of three-letter filename extensions. Even advanced users can't be expected to check the extension every time they download a 15-second video clip.

The real problem is that the same action -- double-clicking on a downloaded file -- has a completely different meaning depending on whether the file is a document or a program. In the first case, it means "view this document"; in the second case, it means "grant this program all of my privileges".

Mac OS X 10.5 "Leopard" tries an interesting solution: "quarantining" just-downloaded programs. If you download a program using Safari or Firefox, you get a concise dialog reminding you that it was downloaded from the Internet.

Unfortunately, Apple botched an important part of this dialog: the button label. The OS X HIG suggest that button names should be verbs that describe the action performed, so if users only read one word in the dialog, it will be one that differentiates one action from another. (Windows, in contrast, is notorious for using "Yes" and "No" as button labels.) Apple chose the verb "Open", which suffers from exactly the same problem as double-clicking: it has a vastly different meaning for documents and applications!

There is concern that because the dialog is "in the way of what you were doing", many users will click through no matter what the dialog says. So perhaps a better solution is to take a hint from the Web application security model, and grant fewer privileges to most local applications. Why should running a screen saver or local game be so much more dangerous than visiting a web page?

A third possible solution is to make the action to launch an application explicit. In a command-line setting, this action might be "chmod +x". On Mac, a natural choice would be dragging the application to the Applications folder, since that is already a normal part of installing an application.

For now, my workaround is to drag files to VLC (as a habit) instead of double-clicking them. I suggested this in the "Handling downloaded files" section of Security tips for Firefox users.

Users rarely look at display advertisements on websites. Of the four design elements that do attract a few ad fixations, one is unethical.

Can you guess which eye-attracting ad design element Jakob Nielsen considers unethical?

1. Plain text
2. Faces
3. Cleavage and other "private" body parts
4. Similarity in design to page content

(Read Jakob's article for the answer.)

I'm working on a page called Security tips for Firefox users, describing what that I think Firefox users need to know in order to be secure while using the Web. It focuses on malware and phishing as the major threats.

I find it scary that users have to know so much in order to stay secure. A lot of the things users are seemingly expected to know are not at all obvious, even to people who have been using the Web for a long time. Hopefully, this page will make it clearer what kinds of changes we should make to Firefox in order to help users protect themselves against malware and phishing.

Daylight Saving Time seems to serve three major purposes:

• Health: keeping sunrise roughly constant relative to when work or school starts makes modern routines easier on our circadian rhythms, improving our pyschological health and perhaps also our physical health. In addition, the daylight "saved" by not "sleeping in" hours past sunrise during the summer makes more outdoor activity possible, increasing the amount of exercise we get without conscious effort.
• Energy use: By using less artificial light and spending less time inside watching TV during the summer, America saves about 1% on total energy use by using Daylight Saving Time.
• Safety: Daylight Saving Time tries to keep both morning and evening commutes in daylight when possible. But when that isn't possible, it tries to ensure that at least the morning commute is during daylight. This reduces car-accident injuries by thousands or tens of thousands per year.

I think a time system could improve health, energy use, and safety even more if it were to make small adjustments throughout the year instead of large adjustments twice a year. For example, a small amount of time might be added or taken away just before 2am every morning, in order to keep sunrises at 6am at a latitude of 40 degrees. The daily changes would be small enough for most people to ignore -- less than two minutes per day even around the equinoxes.

Interestingly, switching to continuous time change would also address the main criticisms of DST:

• Lost productivity and an increase in fatal auto accidents twice a year due to disruption of sleeping patterns.
• Lost productivity fiddling with clocks.
• Farmers are forced out of synchronization with the rest of society.

It seems like my favorite kind of compromise, one that reveals a false trade-off and makes both sides happier than they would have been with their previous preferred solutions.

Of course, there would be new drawbacks. Certain time calculations would be more difficult: night-shift workers might find themselves needing to keep track of the changing length of each day, instead of being confused only twice a year. Planning a weekly meeting involving people in different hemispheres (or DST regimes) would become more difficult, especially if people on each hemisphere have tight schedules.

We would also have to replace our clocks and watches. I'm not about to pretend that forcing everyone to purchase new clocks would be a good thing by itself, but at least it would only be a one-time cost; computing power is cheap enough that the the price of clocks would not increase permanently. When we upgrade our clocks to deal with days that vary slightly in length, we should also give them all the ability to update themselves; this would be more pleasant than requiring you to enter the date in addition to the time after each power outage. We could also dramatically improve the user interfaces of most alarm clocks with respect to how often they fail to wake people up, but that's the subject for another blog post.

This "Continuous DST" proposal is not to be confused with the proposal known as "Year-round DST". The advantages of DST arise from the twice-yearly changes to our clocks corresponding to the changes in the seasons. While "year-round DST" might make sense as a short-term response to an energy crisis such as World War II, in the long term it equivalent to not having DST at all: over a period of several years, everyone will shift their hours back to when they are comfortable being awake unless the government also legislates working hours, store hours, and prime-time television.

I'll admit to being atypical when it comes to sleeping schedules. I work from home and can keep almost any schedule I want. I tend to be most productive at nights, when there are few distractions, so I often sleep during the day. I prefer to be outside during the evening and night, when I don't have to wear sunglasses. (As an added bonus, when I go grocery shopping, my dairy products will take less damage from the walk home). On the other hand, in college, when many students wouldn't even consider taking a class before 10am, I didn't mind having an 8am MWF class as long as I also had a 8:10am class on Tuesday and Thursday.

I'm sure many readers do keep "normal hours", whether by coercion or choice, so what do you think of Continuous DST?

From bug 330884:

This privacy flaw has caused my fiancé and I to break-up after having dated for 5 years.

The reporter's fiancé had secretly used Firefox on her computer to visit dating sites such as JDate, SwingLifeStyle, and Adult FriendFinder. While logging into those sites, he told Firefox to never remember passwords for those sites. He then uninstalled Firefox, probably because he was worried that she would find out which sites he had been visiting.

Later, she installed Firefox for herself, and happened to need to edit the list of sites to never save passwords for. She quickly realized that he had been visiting dating sites in secret, and was also able to determine that he was still an active member of some of the sites. As one might expect, this led to a breakup.

Should the Firefox uninstaller offer to delete profile data, like most game uninstallers do, or at least notify users that profile data was not deleted? Can it do so in a way that won't confuse users too much or cause accidental dataloss? What about platforms like Mac where most programs (including Firefox) do not have an installer or uninstaller?

I hate my alarm clock.

I love Southwest Airlines.

Here's what happens when you go to the web pages of some large US banks, and what happens when you try changing the homepage URL from "http" to "https" or vice versa.

Most of these banks make Critical SSL/TLS Mistake #1, having the login form be http and only submit to https. This protects against passive attacks, but does not protect against man-in-the-middle attacks. An attacker who can mount a passive attack can usually mount a man-in-the-middle attack with only a little more work, so these banks are barely more secure than sites that do not use https at all.

Of the banks that use https login forms at all, many make two smaller mistakes: their main page is http, which invites http links and bookmarks, and their login forms have long hostnames like "web.da-us.citibank.com", which are harder for users to verify than e.g. "www.citibank.com" or "citibank.com".

Many of the largest targets for financial fraud in the US are only defending themselves against passive attacks. Do they believe authenticated encryption isn't important in the US? Aren't these the same banks that blackmailed Mozilla developers into adding two of its most-hated features, "autocomplete=off" and "Cache-Control: no-store", claiming that any browser without these features was not secure enough for use on their sites? Banks in the US are heavily regulated, so why aren't they mandated to use https correctly?

Users either don't look for the lock icon at all, or can be tricked by the combination of a lock image and a statement in the page like "The moment you click Sign In and before your ID and passcode leave your computer, we encrypt them using Secure Sockets Layer (SSL) technology." Why is that? What can be done? What should be done?