Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Another alpha – me.dium for ie7

July 1st 2007 in Uncategorized

n2399286747_3253

Ok, so I’m a glutton for punishment – not only am I playing with the Haute Secure beta (which reminds me, I must install the latest build ’cause the one I am running just crashed IE and has been disabled by the add-on manager), I’m also playing with the alpha of Me.dium for IE7. 

Important note: Me.dium for IE7 is not yet available to the general public.  All screenshots and discussed behaviour are based on an alpha build of Me.dium and may change in future builds. 

Me.dium is a bit of a surreal experience.  Yes you can set users as friends, and chat like all of the other networks out there but what makes Me.dium unique is that as you surf Me.dium recommends other sites that you may be interested in, based on your and other Me.dium users’ activities.  You can also see what sites your Me.dium friends and other Me.dium users are currently viewing.

It’s amazing how much information they have squeezed into such a small pane, but such a wealth of data has come at a price. As you will see from the screenshots below the font used can be *tiny* and those of us whose vision is not as good as it once was will struggle – I’ve bumped up DPI on my machines, but such changes do not touch products like Me.dium.  You also need a fair bit of dexterity when using the mouse – it is very easy to click in the wrong place (I’ve already accidentally closed a chat tab).

I’m running a very very nice laptop, a Ferrari 5000, with an AMD Turion 62 X2 2.00 GHz chip and 2 Gig of RAM installed, but I have had to change the way I do things to adapt to running alpha products – for starters, my 8 home pages have been scrapped to be replaced by a single tab opening to this blog, and I no longer fire up Outlook and IE as soon as I start up the laptop; I fire up Outlook and let that get going before starting IE. I then let Me.dium get going before I fire up my other pages.  IE7 was struggling to open 8 tabs all with a Me.dium pane.

 

How it works

As noted above, Me.dium uses a map to suggest web sites that you may be interested in viewing, with suggestions based on what other Me.dium users, including your friends, are currently viewing.  For example, when I visited a bank website, Me.dium immediately offered a whole stack of other banking sites for my viewing pleasure:

image

Different web sites will bring different friends and Me.dium users into view.  It it kind of fun bouncing around the net, checking out all the sites that Me.dium users are viewing.  Me.dium will also tell you how many users are visiting each particular site.

image   image

You can visit the sites that your friends are viewing via their entry on the Me.dium map, or via their entries in the Me.dium :
image image

 

 

Friends

You can chat, but if somebody starts a chat or replies to you, and the Me.dium pane is not in view, there is no visual or audio cue to let you know that something is happened, nor is there any way to mark yourself as “away” that I have found.  I have already been caught a couple of times when somebody has replied to me and I have been in Outlook or even in another IE tab, oblivious to the activity.  Also, chats will not carry over to any new tabs that are opened which is logical when you consider that who is in view is dependent on what site you are viewing.

image

 

 

So what happens if you visit a “private” site? 

You see this:

image

Interestingly, sharing was suspended when I visited a page signed by an Extended Validation Certificate or even a plain, vanilla https site:

image   image

and when I opened a new tab (logical, because about:blank is on your local machine, and you don’t want people seeing stuff on your computer, do you)

image

but NOT when I visited GMAIL and logged into my private account (because GMAIL is not HTTPS).  That may concern some people, but to quote those behind Me.dium:

“Me.dium never captures log-in information when you are visiting a secure (HTTPS) website or accessing authentication information stored in your system’s cookies. For example, if you’re logged into an e-mail program, such as Yahoo! Mail, your e-mail is not visible to users; rather other users see a blank Yahoo! Mail log-in page without any personal identifying information.”

So, basically, if you need to log in to the site and your username and password are preserved in a cookie or in protected store on your computer (eg: you use Internet Explorer’s ability to save user names and passwords) then you’re ok.  Also, if the site is HTTPS you’re ok.  I’ve been playing around with log in sites that do not use HTTPS and have had the chance to click on a map entry when somebody is obviously accessing their GMAIL account.  On every attempt, all I saw was my own GMAIL account, not the other person’s. 

image

At the moment, the risk of accidentally gaining access to somebody else’s private information via a URL is pretty high up in my thoughts – for example, what about URLs that contain username:password@sitename?  Granted, this is a very slim risk because as from IE6 SP1 Internet Explorer no longer supports such a syntax BUT it *is* possible to re-enable support via the keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

and

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

Source: http://support.microsoft.com/kb/834489

The article mentions IE7, so it seems that the keys will work in that version of the Web browser, although I should point out that I have not tested this.

Yes, I know, the chances of both Me.dium users having been silly enough to re-enable support for the syntax in question and actively using such URLs are roughly “nil and buckleys”, and Me.dium users can turn off sharing at any time simply by closing it’s Explorer Pane, but one of the goals of an alpha of this type is to explore possibilities for misuse, and the risk is no less than some other “limited attacks” that have had the popular press in a lather in recent times.

I think I’d be happier if Me.dium were coded to automatically turn off sharing if such a URL syntax was encountered… Winking

 

Privacy

Me.dium records four things: web-page (URL) visits you choose to share with Me.dium, your most recently visited web-pages, your list of friends, and any profile information you choose to share with Me.dium.

 

Data security

Me.dium advises that:

“All browser communication is encrypted with 128-bit SSL and our secure data center exceeds industry norms. In addition, Me.dium takes appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data that we collect and store. These security measures include internal reviews of our data collection, storage and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data.

Furthermore, we restrict access to personal information only to Me.dium employees, contractors and agents who need to know that information in order to operate, develop or improve our Services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations. Unfortunately, no security system can be 100% secured; accordingly, Me.dium cannot guarantee the security of any information provided to us in connection with the information that we collect through our website.”

Source: http://www.me.dium.com/faq

Now, as much as I’m loving playing around with this, I have *got* to get some earn-an-income type work done; more later…

Nick White talks about Me.dium:
http://windowsvistablog.com/blogs/windowsvista/archive/2007/05/01/me-dium-add-in-for-ie7-connects-kindred-spirits.aspx

Me.dium’s inventor:
http://me.dium.com/node/615

Mike Gotta:
http://mikeg.typepad.com/perceptions/2007/05/medium_addin_fo.html


3 comments to...
“Another alpha – me.dium for ie7”

Peter Newcomb

Sandy, thanks for the great article. It’s true that we continue to face many challenges in the areas of usability (like readable font sizes) and security/privacy. We have spent and continue to spend a lot of effort in both of those categories, and intend to do so indefinitely. It really helps us when people like yourself point out issues for us.

One note on the “username:password@” thing: the extension code (in both FF and IE) already strips any “username:password@” from any URL it sends to our servers. BTW, anyone can check the FF code by unzipping the .xpi or looking at the code as unpacked into their profile folder. The IE code is necessarily compiled into a binary, but we’ll make the source code available to those who wish to audit it.

-peter



Kimbal

Thanks for the review Sandi. We’re getting quite excited about releasing it to the general public.

Kimbal
CEO, Me.dium



Brian Madsen

Hey Sandi,

ME.DIUM sounds and looks like a great tool..When’s the public Beta going to be released? when can mere mortals like me get to try it out? when??

If nothing else, hook a brotha up will ya!


Previous Entry

If when you create an Internet shortcut, you specify an icon path that includes a system variable, IE7 will show a generic icon. http://support.microsoft.com/default.aspx/kb/935779 A comprehensive list of IE7 related Knowledge Base articles can be found here:http://www.ie-vista.com/kbase3.html

Next Entry

Archives