Thoughts on switching from Chrome to Safari 5.2 [updated]

I’ve used Google Chrome almost exclusively as my main browser since 2009, but after seeing Apple’s WWDC keynote last week I decided to give Safari another try, because being able to send a tab from one device to another (without using Pastebot to just copy/paste the URL across devices),  is one of my most-wanted features.

Things I like about Safari:

  • iCloud tabs (even though I don’t have Mountain Lion yet, it’s already come in useful between my iPad and iPhone running iOS 6).
  • A unified bookmarks bar between my iOS devices and Safari on OS X
  • Reader (though I used Readability before, so I’m not really gaining anything really new here)
  • A unified address/search bar in Safari 5.2 (FINALLY.)

Things I don’t like:

  • No built-in translator
  • No distinct incognito/private browsing windows (with Chrome, incognito windows are super-useful for having two separate “cookie sets” allowing you to login as two users at once while developing web apps)
  • No pinnable tabs… there are a few things I always leave open, but I don’t want them taking up huge amounts of real-estate on my tab bar
  • More than a handful of tabs leads to Safari just displaying a >> icon at the end of the tab bar, whereas Chrome makes them progressively smaller so you can at least still get to them all
  • In Safari, Cmd-1 through Cmd-9 select Bookmark Bar bookmarks in Safari rather than specific tabs (this means I keep accidentally leaving the page I’m on and calling a bookmark instead of switching to the tab I wanted)
  • Lame process separation in Safari: although the web process is separated from the main browser UI process, if one tab crashes in Safari, ALL tabs need to be refreshed. This is no better than having the entire browser “unexpectedly quit” on me, really.

So far I’m finding Safari’s limitations super annoying and I want to switch back, but I’m going to stick it out a while longer. Perhaps I’ll get used to the quirks.

Update 2012-06-23: I’m back to Chrome. Safari’s funky replacement for the WebKit Developer Tools was the final straw.

Safari skews web stats

Here’s an interesting thing to consider next time you’re looking through your web stats: the popularity of Safari 4 and later (the desktop version, not the iOS one) probably looks way higher than it actually is.

Safari’s “Top Sites” feature checks sites to see if any content has changed since you were last there (and also to draw the preview images), and it does this reasonably often. The way it checks is to load your website behind the scenes, which means your server gets hit, and your stats show Safari’s more popular with each refresh.

Perhaps Apple should make the background thread use a different user agent string so that we can differentiate real requests from the Top Sites updates?

My Koobface / Facebook Roadblock experience

I figured I’d write up my experience with the Facebook Roadblock, as it might come in useful for other people who get locked out.

Last night I noticed Adium started spinning away on my dock, unable to connect to one of its configured networks, which turned out to be Facebook. A few minutes later I closed whatever browser tab I had open, and noticed that Facebook tab I had open behind it was showing the “Please login to continue” dialog over my previous session. Clicking the login button took me to something I’d not seen before, the Facebook Roadblock:

The Facebook Roadblock
The Facebook Roadblock

A few minutes of checking the SSL certs, retyping bookmarks, checking for DNS spoofing, and even trying from my iPhone over the 3G data network (which still didn’t work, it instantly logged me out once it loaded and didn’t let me back in), I received an email claiming to be from Facebook. And the headers seemed valid too:

Return-Path: <>
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
X-Spam-Status: No, score=-99.0 required=5.0 tests=AWL,BAYES_50,
Received: from ( [])
  by (Postfix) with ESMTP id CF77B315237
  for <>; Thu, 28 Oct 2010 19:04:33 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha1;; s=201006181024; c=relaxed/relaxed;
  q=dns/txt;; t=1288289073;
Received: from [] ([])
  by (envelope-from <>)
  (ecelerity r(34222M)) with ECSTREAM
  id F6/5B-27367-13BB9CC4; Thu, 28 Oct 2010 11:04:33 -0700
X-Facebook: from zuckmail ([MTI3LjAuMC4x])
  by localhost.localdomain with local (ZuckMail);
Date: Thu, 28 Oct 2010 11:04:33 -0700
To: "Aaron B. Russell" <>
From: Facebook <>
Reply-to: Facebook <>
Subject: Security Warning From Facebook
Message-ID: <9202ff1cbcd06add33c763f96edc88cd@localhost.localdomain>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
X-Facebook-Notify: roadblock; mailid=333b85fG1e289220G6f8ad57G7b
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"

Dear Aaron B. Russell,

We have detected that your Facebook account is infected with a form of
malware, or virus, called Koobface. You downloaded the virus after
receiving a message from a friend, which invited you to view a video.

To restore your account, please log in to Facebook and follow the
instructions you see there. You can also learn more in our Help Centre at:

Facebook Security Team

Hmm. So I really was locked out. But was I really infected? As I use a Mac, I wondered if I’d been hit by the (supposedly harmless) OSX/Koobface.A virus (Intego Security Memo). But if that was the case, why didn’t VirusBarrier X6 tell me about it? And why didn’t I get the Java applet warning? My mind wandered back a couple of days and I remembered I’d logged in on my Windows 7-based HTPC recently too, so there was a slim chance that I got infected that way.

So off I went to set some scans running. Kaspersky Internet Security finished on the HTPC first due to it’s relatively small HD, but that was clean, which only left my MacBook Pro as a potential candidate for infection. After discovering just how long it takes to scan a 500gb hard disk (more than 8 hours)… VirusBarrier told me that it didn’t find anything on my laptop either.

VirusBarrier says "no virus detected"
VirusBarrier says "no virus detected"

Both Kaspersky Internet Security and VirusBarrier X6 claim to be able to deal with various versions Koobface worm/trojan hybrid, but neither of them picked anything up despite having the latest virus definition updates, so my systems seem to be clean. Having checked my systems meant that I was now “allowed” through the Roadblock (Facebook requires you to certify that you’ve checked your system — that said, it’s only a checkbox to tick and you could easily lie, but if you receive genuine reports that your computer appears to be compromised, it’s better not to chance it), and I went through this sequence of steps…

Facebook give you a few options to prove your identity
Facebook give you a few options to prove your identity
I opted for SMS message verification
I opted for SMS message verification
Facebook then try to educate you about what happened...
Facebook then try to educate you about what happened...
... which is a really good idea (despite showing me Windows screenshots when I'm on a Mac)
... which is a really good idea (though they should detect I'm on a Mac)
... and then they forced me to reset my password (also good!)
... and then they forced me to reset my password (also good!)

And then after a confirmation screen, my account was restored.

So… what the hell happened? Well, from what I can tell my machines are not infected, so either my account was compromised, or it was a false alarm (possibly due to Adium’s frequent reconnects to Facebook Chat, because it drops the connection often). Either way, I think Facebook handled this very well from a security point of view. They also offered me a (Windows-only) 6 month free subscription to McAfee VirusScan Plus on the final confirmation screen, but I skipped that as I’m on a Mac and already use Intego VirusBarrier X6, but it’s good to be offering protection to people who might not be protected.

I’m interested to hear if anyone else has gone through this (especially Mac users), so if you have a similar story to share, please drop me a comment.

YouTube vs Viacom: things get ridiculous

It seems that things have progressed into the ridiculous in the YouTube vs Viacom spat:

For years, Viacom continuously and secretly uploaded its content to YouTube, even while publicly complaining about its presence there. It hired no fewer than 18 different marketing agencies to upload its content to the site. It deliberately “roughed up” the videos to make them look stolen or leaked. It opened YouTube accounts using phony email addresses. It even sent employees to Kinko’s to upload clips from computers that couldn’t be traced to Viacom. And in an effort to promote its own shows, as a matter of company policy Viacom routinely left up clips from shows that had been uploaded to YouTube by ordinary users. Executives as high up as the president of Comedy Central and the head of MTV Networks felt “very strongly” that clips from shows like The Daily Show and The Colbert Report should remain on YouTube.

Viacom’s efforts to disguise its promotional use of YouTube worked so well that even its own employees could not keep track of everything it was posting or leaving up on the site. As a result, on countless occasions Viacom demanded the removal of clips that it had uploaded to YouTube, only to return later to sheepishly ask for their reinstatement. In fact, some of the very clips that Viacom is suing us over were actually uploaded by Viacom itself.

— Zahavah Levine, YouTube Chief Counsel, YouTube Blog

This sort of mess surely can’t look good for Viacom?

Been using Formspring? You’re in for a nasty surprise…

From an Associated Press article:

Twelve administrators of the website, including CEO Mark Baxter were arrested on Monday for data phishing and misleading the public, when the site was revealed to be a “social experiment,” which will culminate in the automatic revealing of users’ private data on April 1, 2010.

Update: seems like this is a hoax