The TODO Silo

Yesterday I saw the news that Microsoft will be shutting down Wunderlist in 2020. I’d used Wunderlist for a time before its acquisition, and it was a decent task manager. But I moved away because while it looked beautiful, its way of working didn’t quite gel with me. (That’s also a criticism I have of Trello.)

Microsoft now have their own app, with the unoriginal name of Microsoft To-Do. It’s sorta-kinda the successor to Wunderlist, and the app they’re suggesting that current users migrate to. You can also export your data from Wunderlist as a ZIP file, although I’m not sure how useful that’ll be. From my experience with other services, it’s a nicety that doesn’t help if you want to import that data into another service.

Continue reading “The TODO Silo”

The M in WIMP

What’s Wrong Apple & Microsoft

Om Malik talks computer mice:

What does suck about the iMac is the mouse — and that is why I almost always default to Microsoft’s mice. In my opinion, Microsoft makes the best PC peripherals in business. They are so beautiful, ergonomic and just delightful to use. Their mice are well made and have a beautiful two (or more) button layout that allows one to program them entirely for the editing.

I’ve never gotten used to Apple’s mice, possibly because of muscle memory build up from decades of using PCs and mice with buttons.

I was using the Sculpt Comfort Mouse, but for some odd reason, it started having issues with the iMac, which would crash the machine. Then I tried the bulkier, Microsoft Precision Mouse. And the same issues have plagued my iMac. The same problem occurs on my MacBook Pro as well — and it has been very recent — after the most current MacOS update. Honestly, I can’t tell where the problem is — on Apple’s software or with Microsoft’s hardware. In case of Sculpt, Microsoft’s hardware page says “limited functionality” with Mac OS 10.10, but says nothing about the latest release, 10.14. For Precision Mouse, there is even less information.

Microsoft stopped supporting Mac users of their mice years ago, so you either rely on macOS or purchase third-party apps to make them usable. I was very careful to double-check for macOS compatibility before getting my current R-Go HE vertical mouse.

What part of “No Flash” doesn’t Microsoft understand?

Sergui Gatlan at BeepingComputer:

According to the initial bug report filed by Google Project Zero’s Ivan Fratric on November 26:

In Microsoft Windows, there is a file C:\Windows\system32\edgehtmlpluginpolicy.bin that contains the default whitelist of domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge.

The current version of the previously secret Edge whitelist will only allow Facebook to bypass the Flash click-to-play policy on its www.facebook.com and apps.facebook.com domains, a policy which is currently enforced for all other domains not present on this list.

How serious a problem is that? The BleepingComputer article goes on to quote Ivan Fratric:

This whitelist is insecure for multiple reasons:

  • An XSS vulnerability on any of the domains would allow bypassing click2play policy.
  • There are already publicly known and unpatched instances of XSS vulnerabilities on at least some of the whitelisted domains, for example www.openbugbounty.org/reports/5… and www.openbugbounty.org/reports/4… and www.openbugbounty.org/reports/1…
  • The whitelist is not limited to https (this wouldn’t work anyway as some of the whitelisted domain don’t support https at all). Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.

BleepingComputer reproduced the list of all 58 entries in the original version of the internal whitelist that Fratric uncovered. Many of them appear to be very random.

Catalin Cimpanu, reporting at ZDNet:

Fratric filed a bug report with Microsoft last November, and Microsoft delivered a fix with this month’s Patch Tuesday fixes by restricting the list from 58 URLs to only two domains and enforcing HTTPS for all domains included on the list. The bug report also contains the original version of the whitelist, with all the 58 domains.

In its current version, Edge will allow Facebook to execute any Flash widget that has a dimension of over 398×298 pixels and is hosted on the www.facebook.com and apps.facebook.com domains. Most likely, Facebook is on Microsoft’s Edge whitelist to support the social network’s large collection of legacy Flash games.

For any other Flash widget on any other website, Edge will respect its default click-to-play policy, meaning websites are not allowed to execute Flash without users’ permission, which usually means enabling Flash execution through an address bar icon.

Commenting on Twitter, the Google security researcher showed his surprise on how and who was managing the whitelist, and how it came to be.

“So many sites for which I’m completely baffled as to why they’re there,” Fratric said. “Like a site of a hairdresser in Spain?! I wonder how the list was formed. And if [the Microsoft Security Response Center] knew about it.”

I came across this via Gary McGath’s Mad File Format Science blog, where he adds:

The article speculates that it’s to allow Facebook’s legacy Flash games to work. This doesn’t sound plausible. Why not just let users whitelist Facebook if they want those games and are willing to take the risk? It’s more plausible that supporting Flash ads is the real reason.

The old list, according to Bleeping Computer, included domains like dilidili.wang, totaljerkface.com, and stupidvideos.com. As Dave Barry would say, I’m not making this up.

This tactic puts a huge dent in Microsoft’s credibility. If they’re willing to deceive you about a “No flash” setting, why should you believe them when they say they won’t hand over your personal data? At the very least, it’s a good reason to stop using Edge and switch to some other browser.

I only have Windows around these days for a few apps that I still need to use occasionally. I use Mozilla Firefox as my primary browser on my Mac, and don’t have Flash installed at all. Microsoft, for reasons I don’t fully understand, still include Flash in Windows, and I’ve yet to find a way to get rid of it. It seems that Microsoft is choosing to minimise the amount of technical support it has to provide to Edge users, rather than prioritise keeping those users secure.

Windows Phone users: Your reminder that support ends in December 2019

Mary Jo Foley, ZDNet:

Just a reminder for those still using Windows Phones: Microsoft is ending its support of the Windows 10 Mobile platform on December 10, 2019. That’s a little more than two years after Microsoft released Windows 10 Mobile 1709 in October 2017, which was its last version of the Windows Phone operating system.

In an interesting rationalization based on its corporate catchphrase, Microsoft says “With the Windows 10 Mobile OS end of support, we recommend that customers move to a supported Android or iOS device. Microsoft’s mission statement to empower every person and every organization on the planet to achieve more, compels us to support our Mobile apps on those platforms and devices.”

It’s been the case for a while that Microsoft decided to quit the phone market, but now it’s truly time to move on, Windows Phone holdouts.