text/plain

On Chromebooks

I spent the summer of 1994 working minimum wage (a princely $4.25/hour), testing electronics, saving all of my pay to buy a beast of a computer. That September, I entered my sophomore year of high school and plunked down my saved ~$3000 to become the proud owner of my first Windows PC, a Comtrade Pentium 90 with 8 megabytes of RAM, a 730mb hard disk, and a quad-speed CD drive. My parents threw in a few hundred dollars to get me an upgrade to a 17” monitor (snicker… 15.7” visible). I split my time between DOS and Windows for Workgroups 3.11.

Suffice it to say, I’ve been a Windows user for a long time.

In 1999, I started as an intern on the team that became the SharePoint team, and in 2001 I joined Microsoft full-time to work on Microsoft Office, and later Internet Explorer.

Since 2012, I’ve dabbled with Macs and Linux VMs, but spent nearly all of my time on Windows.

That’s starting to change.

Why?

Confession: I love Chromebooks.

In January of 2013, I bought my first Chromebook, the $249 11.6” Samsung Chromebook. It was a underpowered little machine with a decent keyboard, a good battery, and not much else. But the long battery life meant it was almost always ready to go, and the tiny form factor made it an easy choice when I wanted portability but a better keyboard than the tablet.

Within a few months, my wife took over the machine; it was perfect for her scenarios: it booted quickly, rarely ran out of juice, and didn’t bother her with incessant demands that she install updates and reboot, a constant hassle with her Lenovo x200. Updates on the Chromebook are incredibly painless (just click an icon every few weeks) and make both Mac OS and Windows look primitive by comparison.

In March of 2014, I sent my parents a $160 ASUS Chromebox to replace their old Windows XP computer. The new box is about a twentieth of the size and probably four times as fast, but the real reason I sent it was that I was tired of doing remote tech support for browser-borne malware, and I was increasingly terrified of letting my parents do online banking from Windows.

In October of 2014, we upgraded my wife to the $329 Toshiba Chromebook2; it has a much faster CPU than the old Samsung, a dramatically nicer screen, and a respectable battery. It’s a bit heavier and bulkier than the Samsung, but it’s still much more pleasant than the Lenovo. The Samsung Chromebook became a hand-me-down to our two year old son (who loves pounding the keyboard) but alas, the screen was recently broken… not by the boy, but by our cat, who knocked it off a table. Still, for a $249 machine, we definitely got our money’s worth.

My favorite Chromebook is the Pixel. I had a 2013 model which was a beautiful machine with a fatal flaw—an inefficient CPU and a smallish battery that meant it wouldn’t last for five hours on a charge. As much as I wanted to love the Pixel, it let me down too many times; I’d pick it up and it’d be dead. The 2015 Chromebook Pixel solves this problem—it gets much longer battery life (10 hours or more), can live on standby for a very long time, charges rapidly over USB-C, and has a faster CPU. Build quality is generally very good (awesome touch screen, strong hinge, good keyboard). The only worrying issue is that I recently noticed that when the fan comes on (pretty rare) there’s a bit of an audible whine if the base isn’t horizontally level—a problem which may or may not be unique to mine, as I haven’t found anyone else with the next Pixel yet. Update: a friend reports his 2015 Pixel doesn’t have this problem.

I have the $1300 “LS” edition which has an i7, 64gb SSD and 16GB of memory but I’d recommend the $1000 regular edition (i5, 32gb SSD, 8gb RAM) to almost everyone, as there are more useful ways to spend the $300 price difference. (I bought the higher-end model with the idea that I’d eventually put Crouton on mine and run Linux beside ChromeOS… but thus far I’m too afraid to “break” it.)

I currently have a wide range of other devices to choose from (2015 XPS13, 2013 Mac Air, Lenovo T420s, Retina IPad 3, Nexus 7) but I find myself picking up the Pixel more often than not—it’s just a fundamentally pleasant machine for doing things on the web. I’ve also started redeeming the “free HD version on Google Play” codes that come with the HBO shows I’ve bought on DVD and Blu-ray and the Pixel is a great device for watching these as well, although the beta branch of Chrome OS seems to have a number of minor annoyances in the Google Play app.

My 2015 XPS13 which is an awesome form factor (light and fast) but it is currently running Windows 10 which is not ready. Prior to upgrading to Windows 10, the XPS13’s real problems were the awkwardness of the Metro UI paired with the hassle of constant Windows Updates. Another key consideration is that you can’t get (performance destroying) antivirus for a Chromebook, and most IT departments don’t know how to screw them up. Previously this beneficial ignorance was an advantage for Macs as well, but our IT department at least has started “enhancing” Macs and making them awful too.

Despite its many benefits, the Pixel isn’t a perfect machine and it’s probably not for everyone. Apps are sadly sparse, and web-based replacements aren’t getting new features as fast as I’d hope. There have been a few promising developments recently, like Skype making its way to Chromebook. I’m not a gamer, but Chromebooks are very limited in this department– while many browser-based games will work great, those based on Java don’t, and none of the major PC games available for Windows (and increasingly, for Mac) will run on Chromebooks.

The biggest disappointment so far is in printing—it’s not a super-common scenario for us, but we do a ton of online shopping and need to print a return label a few times per month. At home, we have a Brother DCP 7065DN printer and you basically can’t print to it from Chromebooks without expensive workarounds like the Lantronix xPrintServer Cloud Print. It’s goofy that I have to buy a little box to run a print server just so ChromeOS can print, while presumably the exact same print daemon could be run directly on the ChromeOS machine. While frustrating, this limitation will probably continue to fade in importance as new printers come with the Google Cloud Print code built in; for instance, the slightly newer Brother DCP L2520DW supports Cloud Print, and it’d be cheaper to buy that than the xPrintServer box.

Unlike most of my PCs, I feel like my Chromebook works for me, rather than the other way around.

-Eric

The Edge Team

Microsoft publicly revealed the IE/Edge team’s size: ~300 people in an article with some fun profiles of a few of them: http://microsoftjobsblog.com/team-shapes-the-future-of-internet-browsing-with-microsoft-edge/.

Of course, my favorite profile story remains Zeke’s.

Optimize PNGs using PngDistill

Unfortunately, many PNG image generators opt for minimum compression time, failing to achieve maximum compression. Even worse, the most popular PNG generation tools often include huge amounts of unnecessary metadata that can bloat images by thousands of percent!

Fiddler now includes PngDistill, a simple tool that removes unnecessary metadata chunks and recompresses PNG image data streams using the Zopfli compression engine. Zopfli-based recompression often shaves 10% or more from the size of PNG files. You can access the PngDistill tool from the context menu of Fiddler’s ImageView inspector:

Automation

While it is well-integrated into Fiddler, PngDistill, which is installed to C:\program files (x86)\Fiddler2\Tools folder, only requires PngDistill.exe (a .NET application) and zopfli.exe to run; you can use these tools without using Fiddler.

To run PngDistill against an entire local folder of images, you can do so from the command prompt:

for /f "delims=|" %f in ('dir /b *.png') do PngDistill "%f" replace

This script runs PngDistill on every image in the current folder, replacing any image for which the distillation process saved bytes. You can then update the images on your server with the optimized images.

Running PngDistill.exe without any arguments will show the usage instructions:

Notes

The “Minify-then-compress” Best Practice applies to PNGs. While large fields of empty pixels compress really well, the browser must decompress those fields back into memory. So, if you’re building a sprite image with all of your site’s icons, don’t leave a huge empty area in it.
More advanced optimizations for PNG files are available using filters, color depth reduction, etc. PngDistill does not undertake these optimizations as its goal is to be 100% safe for automation, with no possibility of a user-visible change in the pixels of the image.
PngDistill partially supports .ICO files. Icon files may contain embedded PNGs; when run on a .ICO, PngDistill will extract the PNGs and save them externally; you will need to rebuild the .ICO file with the new PNG file(s).

-Eric

Meaningless Legalese

The folks @Wired would like to remind you that viewing their website in any browser violates of their terms-of-use.

wired tou

All web browsers cache content, by-design. And I’m pretty sure that “reading” is one just one of many ways that the material might be “otherwise used.”

For an otherwise forward-looking publication, seeing this garbage on the homepage is a depressing failure.

-E

Medical Bills

In April, Noah (22 months) fell on the playground. It wasn’t an especially bad fall, but he bumped his head pretty hard. He cried, but mostly because he dropped the ball he was carrying– he quickly stopped when it was returned to him. No big deal. He had a nasty bruise and some swelling, but he’s had worse.

Later that night, he threw up after dinner. This was worrisome, since he’s had a pretty strong stomach and has only ever done so a few times in two years. Googling around, the general consensus is you only need to call the doctor after the third instance of vomiting when no other symptoms are present. Whew!

Until he threw up three more times over the next hour.

So, Jane called the nurse’s line and they suggested we go to Dell Children’s Hospital, the best in Austin. We piled in the car and headed over, convinced that we were probably worried about nothing, but still… He threw up in the lobby and we got into see a nurse a few minutes later. She offered an anti-nausea pill (“Zofran”) which we initially declined but went back to get after he threw up yet again. After more waiting, we got in to see a doctor, who probed at his bruise/bump a bit, reiterated his medical history, and had us give Noah some more water to see if he could keep it down. Eventually, he decided that we should do a CAT Scan just to be sure, and we all headed downstairs for the scan. Throughout the process, Noah was happy and wide awake, apparently excited about getting to hang out past his bedtime in a neat new place with lots of gadgets. We assumed this would end when he had to lay down for the CAT Scan machine, but he was the perfect patient, laying down as quietly as he ever had and not moving at all for the scan.

An hour or so later, we got back the results (no problems found, yay!) and we got discharged with a diagnosis of “mild concussion” and a prescription for more of the Zofran just in case he needed it.

A few hours after we got home, I apparently “caught Noah’s concussion” and began throwing up. Oops. Well, at least we ruled out any kind of real problem; there was no fever, just some nausea and difficulty in keeping food down.

We both got better within a few days.

Then we got the bill. The letter the hospital was pretty simple: “Hey, send us $2150. Got any questions? Talk to your insurance company.”

A few days later, the insurance company sent over their explanation of benefits, explaining that they’d covered $2017, we got a $1041 discount, and we owed the remainder of our annual deductible ($2150). They at least offered a slight breakdown of the charges:

Even still, we wondered about the $309 “Pharmacy” charge—Noah had only taken two tiny pills (dissolved) and they seem to have a street price of $2 to $12, depending on where you buy them. What’s up with that?

The lack of detail here made it seem almost as if the insurance company had no interest in preventing fraudulent billing. Weird.

Jane called and nagged the hospital into sending over a detailed bill. That they didn’t send it on the back of the initial letter irritates me to no end, but it immediately becomes clear why they might not want you to know what you were charged:

The Zofran was marked up at least 1000%. The “5GM Cream” was some sort of topical anesthetic that the nurses had applied to his hand just in case he needed an IV if he didn’t keep down the water he drank—my guess it had at least the same level of markup.

Fortunately, my employer provides ridiculously good healthcare benefits (they even pay deductibles!) so the entire trip didn’t directly cost us anything. But I’m terrified of how broken the pricing model is for healthcare is in this country. I’m a big fan of the ACA, but if we as a country don’t find a way to rein in uncontrolled healthcare costs, we’re doomed anyway.

Time Magazine did an awesome story on this topic almost exactly two years ago: http://time.com/198/bitter-pill-why-medical-bills-are-killing-us/

-Eric

The Muse

There’s a writer living in my head, and he’s a genius.

Or so he tries to convince me, as his prose flows freely day in and out, filling most idle moments– while I’m showering, driving, dining, taking out the trash, or performing any of the other mundane tasks of daily life. His prose is brilliant– his points always well aligned, his recall of long-ago events and facts uncannily perfect, and his agility in seamlessly transitioning from one topic to the next is above reproach. He never needs spell-check or a thesaurus, and he never struggles to find the right way to approach the topic. His efforts are frequently interrupted by periods of basking in the glorious reception he imagines for his easy labors, and is certain that untold rewards are sure to follow.

Unfortunately, this genius is a huge jerk.

As soon as a spare moment is found in which hands can be placed upon a keyboard or a notepad, he’s either nowhere to be found, or not “in the mood” to rehash old topics that were perfectly formed in the ether… to commit such brilliance using a device so banal as a keyboard is an insult, it seems, and he won’t deign to be part of such an endeavor.

Over the years, I’ve found that the only way to write is to just type, painfully, whatever drivel comes to mind, scaffolding up the roughest of approximations of what he might say, providing nary a distraction to amuse him. With false start after false start, rewrite after rewrite, I suffer until he comes out, clucks his tongue at my pathetic efforts, and begins to guide my fingers on the keyboard. He bridles at the annoyance of checking facts (rolling his eyes in disdain each time an inaccuracy is found—“the piece would be better if I was right!” he argues) and groans each time my feeble mind grapples with a word choice.

When a throwaway tweet gets 300 times the pickup of a hard-scribed blog post, he groans and rants at the inanity of the mortal world.

But what alternative is there?

-Eric

Unsecure Content

Chrome has landed their change that allows you to mark unsecure (HTTP) content as insecure or dubious. Visit chrome://flags/#mark-non-secure-as to set the toggle. You can choose to mark as Dubious:

…or as Non-Secure:

The expectation is that eventually one of these modes will be the default for sites that are transferred over insecure protocols like HTTP.

Personally, I’m not really a fan of either piece of iconography; to me, showing the lock at all implies that the site has some amount of security and maybe it’s just not perfect.

I’m hoping that after some transition period, we’ll end up with a more prominent notification that explains what the issue is and why humans might care.

In December of last year, I made the following proposal with tongue only slightly in cheek:

Meet “Nosy”, your HTTP-content indicator:

Of course, Nosy’s got a lot of things to say:

nosy2

Sites and services need to use secure protocols like HTTPS because users expect it. No, not all users will expect to see the letters HTTPS and probably don’t understand hashes, ciphers, and public key encryption. But they expect that when they visit your site, it was delivered to them unmolested, privately, and as you original designed it. And the only way to realistically ensure that these expectations are met is to use HTTPS.

Update: While the mock screenshot above was never built, Chrome Security’s Lucas Garron wrote the awesome Ugly HTTP Chrome extension, a very simple extension that helps make it much more obvious when you’re on a non-secure site by color-shifting the content of the page itself.

-Eric Lawrence

HTTP Caching Public Service Announcement

There are many interesting thing to say about HTTP caching. I’ve blogged about them a lot in the past.

Today’s public service announcement to clear up two extremely common misconceptions:

1. The no-cache directive does not mean “do not cache” (even though IE versions prior to IE10 implemented it that way).

What it really means is do not reuse this item from the cache without first validating with the server that it is fresh.

If the no-cache directive does not specify a field-name, then 
a cache MUST NOT use the response to satisfy a subsequent request
without successful revalidation with the origin server.

2. The must-revalidate directive does not mean “you must revalidate this resource with the server before using it.”

What it really means is do not reuse this item from the cache after it expires without first validating with the server that it is fresh. It’s basically saying: “Don’t ignore the Expires and max-age directives.” Which a client absolutely shouldn’t be doing anyway.

If the response includes the "must-revalidate" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But if the response is stale, all caches
MUST first revalidate it with the origin server.

-Eric

Browser Benchmarks

Back in December, I predicted that Microsoft wouldn’t release the Project Spartan beta until it bested all of its competitors on the major benchmarks: SunSpider, Kraken, and Octane. I was wrong—the first beta was released with only minor script performance improvements. That changed with build 10061 of Windows 10, and Spartan now does beat everyone else on their own benchmarks.

Running Windows 10 on my new 2015 Dell XPS13 i5-5200U, I get the following scores:

Browser	SunSpider	Kraken	Octane
Spartan/IE 10061	122.7ms	1444.44ms	23652
Chrome 43 beta 2357.37	255.5ms	1557.7ms	22656
Firefox 37.0.2	204.2ms	1498.4ms	21762

Now, some of these “victories” are within the margin of error, and it’s very possible that upcoming versions of Chrome and Firefox will improve their performance on slow outliers (e.g. Chrome’s score on Octane’s MandreelLatency is just 22% as fast as Spartan’s). But anyone surprised at Microsoft’s great results is overlooking the fact that some of the world’s best compiler developers and architects work for Microsoft and their attention has increasingly been turned toward JavaScript.

Of course, script performance is important, but it’s far from the only way to measure a browser. Standards-compliance, network performance, ease-of-use, security, end-user features and many other aspects determine your experience with a browser. There are many different tests (subjective and less-subjective) for these aspects, although each has its own biases. But just to give one example, with all its feature flags turned on, Spartan ekes out a score of 402/555 on the (questionable, but easily run) HTML5Test.com while Firefox and Chrome score 449 and 526 respectively.

Hamstringing JavaScript

Of course, your numbers might be wildly different than those above, for one major reason: security software.

Every year for Microsoft’s annual AV summit, the IE Team puts together a chart of the impact of AV on browser performance, showing the variation across the top 20 AV products (the variation is huge). They don’t want to publish this data, but the impact ranges from “bad” to “absurdly unbelievably bad.” The best products impact performance by ~15%, the worst slow the browser by 400% or more. Several of the products crash the browser entirely and can’t be benchmarked fully. Conducting these benchmarks correctly is difficult—you need to account for every piece of software running on the machine and ensure that the test conditions are entirely fair (hardware, software, updates, etc); as a consequence, many of the “public” benchmarks are rather inaccurate.

Why hasn’t the IE team released their numbers? My guess is that it’s to try not to anger the AV companies, all of whom have been muttering “antitrust antitrust antitrust” under their collective breath ever since Microsoft integrated an entirely decent antivirus package into Windows 8.

Personal anecdote: I have Symantec Endpoint Protection running on a machine with a high-end i7-4771 CPU; even after unticking all of the “optional” protection features I can find in the Symantec control panel, the Octane score in Chrome 43 is 11659. On the same hardware in the same browser version without Symantec installed, the Octane score is 32555, 279% of the original score.

The devastating impact of antivirus on browsing performance is one reason why your portable devices feel magically fast—on a AV-unhindered i7, IE11 runs SunSpider in 70ms. Add AV and it runs in 350ms. The IPad Air, running with Safari’s slower script engine, runs it in 380ms. Mobile devices offer “Desktop Class” performance only because your desktop has been wrecked.

Antivirus software is too often a cure that’s as bad as the disease. The business model of AV rewards noisy products, and the desire for “checkbox parity” leads to a race to shove its tentacles in all sorts of places they don’t belong (e.g. the internal data structures of the browser). Unfortunately, even beyond antitrust concerns, Microsoft is very limited in its ability to deal with horrible AV products due to court precedents that say that AV can pretty much get away with doing anything it wants in the name of “protecting the user.”

You might ask: “Without my security software, aren’t I at risk?”

Yes, you are. But security software provides surprisingly little protection, as this delightful photo of a colleague’s laptop shows. In the foreground, the AV software promising that the user is protected. In the background, the ransom UI demanding payment to decrypt the documents that have just been mangled.

Awkward screenshot

Even worse, “security” software itself often introduces vulnerabilities into otherwise secure systems.

Advice

Want to be protected and stay fast?

Upgrade to Windows 8.1 or later.
Leave SmartScreen Application Reputation enabled.
Leave the built-in antivirus enabled.

Or get a Chromebook.

– Eric Lawrence

Security UI

Over a decade ago, Windows started checking the signature of downloaded executables. When invoked, Attachment Execute Services’ (AES) UI displays the publisher’s information for signed executables; unsigned executables instead show a security prompt with a red shield and a bolded warning that the publisher of the file is unknown:

In contrast, signed executables show a yellow shield and the name of the publisher and the publisher’s declared name of the application.

When Windows Vista released in late 2006, an “elevation dialog” was introduced to prompt the user for permission to run an executable with elevated (administrator) rights. The new prompt’s design somewhat mirrored that of the earlier AES prompt, where unsigned executables are scary:

… and signed executables are less so:

As you can see, the prompt’s icon, program name, and publisher name are all pulled from the downloaded file.

To avoid double-prompting the user, the system detects whether a given executable will be elevated, and if so the AES dialog is suppressed and only the elevation prompt is shown.

As a consequence, the security UI in modern Windows is a bit backwards… the lower-risk “run as user” dialog seems complex and scary, while the higher-risk “run as administrator” dialog seems simpler and more trustworthy:

BadDesign

From a security design point-of-view, this seems unfortunate. Application designers should never be in the position of choosing higher-permission requests to get friendlier prompt behavior.

-Eric Lawrence