Memento Mori – Farewells

A sad part of getting older is losing friends along the way. But it’s an important reminder that every day is a gift, and no tomorrow has been promised.

Last week brought the sad news that David Ross has passed away.

David was a giant and a pioneer in the new field of web application security. David graduated from my alma mater (U. Md College Park) the year after I arrived, beating to me to Microsoft by a few years. David was originally recruited by Microsoft after discovering and reporting several serious bugs in early versions of Internet Explorer that could allow attackers to run native code on victims’ PCs.

I first met David in 2004 when I joined Internet Explorer to work on Trust features; David was even by then a longstanding expert in the browser security space. Originally, David was focused purely on security feature work, finding and addressing security vulnerabilities in Internet Explorer and related products. Over time, he moved into security design work, driving the design and adoption of important security features that have had an industry-wide impact (e.g. HttpOnly cookies). 

David’s most significant impact at Microsoft was the invention, prototyping, evangelization, and evaluation of the XSS Filter feature of Internet Explorer. This achievement required both high levels of technical and interpersonal skill. David’s research showed the prevalent and growing exploitation of XSS attacks and he knew that if Microsoft wanted to significantly move the needle on security, we had to have an answer for XSS attacks. David generated some proposals for what the browser might do to address this, and himself built a proof-of-concept plugin demonstrating his best proposal. He refined the prototype and improved its effectiveness and performance, and built test code to verify its impact and ensure that false-positives were minimized. He understood this space end-to-end better than almost anyone in the world. However, David needed to, and did, go beyond that. Getting this feature “out of the lab” required a huge amount of interpersonal skill as the Internet Explorer team at the time was very reluctant to take on major features to address a threat space which was “forward looking.”  

David managed to build alliances, address concerns, refine his prototypes, win over skeptics (myself included) and eventually drive the approval to ship this feature in IE8. He worked closely with IE’s development team to refine the plugin prototype to fit within Internet Explorer’s architecture.  

More significantly, David continued his evangelism, research, and ownership of this feature even after it shipped, working to update the feature to address new threats, even after the IE team was no longer actively working on it. Most impressively, David managed to keep the feature in IE for version 9, where features with performance impact (like the XSS Filter) were getting slashed and burned in order to boost performance of the browser. David did this in two ways: first, by helping to design and implement significant performance improvements in the feature itself. Next, by working with senior Internet Explorer and Windows management to ensure that they understood the value of the feature (both for security and competitive reasons) and would be willing to make the investments necessary to ship it with IE9 and future versions. 

Beyond the XSS Filter, David was Microsoft’s “go to guy” for web security for over a decade. When the team encountered a difficult web security design problem, they would go to David, who consistently found a way to help. When Vice Presidents had questions about web security, they would ask: “Well, what does D-Ross think about this?” Unlike many experts at the top of their field, David was modest, easy to work with, and did not suffer from arrogance or impatience; he consistently got the job done while building successful long-term relationships. 

The Windows 8 team relied upon David for security review of the critical Windows 8 HTML+JavaScript apps architecture, much as earlier Windows teams relied upon his work for the design of HTML-related features (Desktop Gadgets). He often shared his expertise in written form (publicly and internally) and via small internal presentations and rarely, public presentations, like this lecture at AppSec.eu. Beyond his own contributions, David recruited and directed several key security researchers for Microsoft, significantly strengthening the security team at the company. 

At the end of 2013, David moved from Microsoft to Google (I would follow him to Google from Telerik two years later). As a part of his hiring, I had the honor of writing him a glowing letter of recommendation, despite the absurdity, like a high school JV QB writing a letter recommending a NFL team sign Tom Brady.

He was smart and patient and dauntless and I will miss him. Rest peacefully, David.

Earlier this year, we lost Richard Shupak. I met Richard when I started in Internet Explorer; he worked in Microsoft Research and had built tools that would audit products’ use of COM (“COMCheck”) and flag errors that could cause security or reliability problems. IE had a lot of these.

“Making a nuisance of myself is not officially part of my job description,” Richard said. “It’s more like a hobby.”

Unlike Google, Microsoft was pretty parsimonious about granting access to product source code (I joined the IE Team in large part to get access to its code), but rumor had it that Richard had permissions to all of the source at the company and spent his days looking for ways to improve it.

Even after he retired from Microsoft, Richard kept in touch and reported bugs he’d found and areas he planned to go research next.

Three years ago, we lost Dan Kaminsky. I’d first met Dan when he came to Microsoft as an external expert security reviewer, and we worked together on a variety of security topics for over a decade. He was brilliant, fun, and an optimist who had a huge impact on the security community. While Dan was just four months older than me, I want to be Dan when I grow up.

I could write a lot more about Dan, and maybe I will some day.

Four years ago, we lost Chris Jackson. Chris was a bright and funny and optimistic guy who helped customers succeed with Microsoft products. You couldn’t help but be friends with Chris.

Eleven years ago, we lost Ed Praitis. Coworkers for years, we were not especially close but he had a big impact on my outlook and my career, and his early death reminded me of the importance of both lifting others up and expressing your appreciation for those who do the same in timely fashion — you may not have a chance later.

Attack Techniques: PayPal Invoice Scams

Today in “Attack techniques so stupid, they can’t possibly succeedexcept they do!” — we look at Invoice Scams.

PayPal and other sites allow anyone (an attacker) to send anyone (their victims) an invoice containing the text of the attacker’s choosing. In this attack technique, PayPal sends you an email suggesting that the attacker already has taken your money, and you should call the attacker-supplied telephone number if you have a problem with that.

Because PayPal is acting as a (clueless) accomplice in this scam, the email contains markers of legitimacy (including the “This message is from a trusted sender” notice):

If you call the attacker’s phone number, they will solicit enough information to actually rob you.

In the current version of the Microsoft Outlook web application, you can choose to report this phishing email. Because it really was PayPal that sent this phishing lure, choosing “Report and Block” will block all future email from PayPal, including any emails that aren’t scams, which may not be what you expected to happen.

Note that PayPal isn’t the only vendor with this issue; attackers are also conducting attacks using DocuSign to send fake invoices.

Stay safe out there.

-Eric

Attack Techniques: Trojaned Clipboard

Today in “Attack techniques so stupid, they can’t possibly succeedexcept they do!” — the trojan clipboard technique. In this technique, the attacking website convinces the victim to paste something the site has silently copied to the user’s clipboard into a powerful and trusted context.

When the attacker page loads, the site places dangerous commands onto the victim’s clipboard, then asks for help in executing it.

A walkthrough of this attack can be found in the ThreatDown Blog, but simple screenshots give you the gist:

A similar one:

Now, in the modern Windows Terminal, trying to paste a string with a CRLF in it will show a warning prompt:

… but that protection still relies upon the user having some concept that they might be under attack and not hitting Enter.

Update: Microsoft’s Threat Intelligence team has a lengthy writeup of techniques we’ve seen in the wild.

Nothing New Under the Sun

In the current scenario, the target victim context is a native execution surface, but this is far from the first time an attack like this has been seen.

Two weeks ago, attackers were abusing the Win+R Run dialog:

Here’s a nice video explanation that walks through what the attackers do if you fall for the Win+R attack.

UPDATE: A few months later, an attack coupled full-screen abuse with a fake WindowsUpdate reboot screen:

Thirteen years ago, Socially-Engineered XSS Attacks were all the rage, where bad guys would use the Address Bar / Omnibox get access to your Facebook account and worm the attack through all of your friends and contacts:

That attack led browsers to start dropping the javascript: prefix when pasting into the address bar. If a user really wants to run JavaScript, they have to manually type the scheme prefix themselves.

Similarly, pasting into DevTools was a recognized attack vector, so before browsers introduced built-in protections, websites would take it upon themselves to console.log a warning message like this one on WordPress.com:

Nowadays, Chromium blocks pasting by default:

…as does Firefox:

Other Execution Surfaces

The Windows Run dialog is a convenient target because it’s just a Win+R hotkey away. But it’s not the only such surface; for example, the location bar in Windows Common File dialogs and File Explorer windows are also execution surfaces.

An real-world attack campaign is now using the Common File Dialog vector:

Note: Enterprises or administrators who are concerned about their users unsafely running commands from Windows Explorer execution surfaces like the Run dialog or the Location bar may set a policy to disallow such actions.

You can do so by using RegEdit.exe to create a REG_DWORD named NoRun with a value of 1 in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

…or you can use the Group Policy editor to configure User Configuration > Administrative Templates > Start Menu and Taskbar > Remove Run menu from Start Menu

Beyond Explorer, Command Prompts, Terminals, and PowerShell IDE windows, are obvious targets, and several Windows utilities like Task Manager also have command-runners:

So, protecting just the Run dialog might not be enough.

Alas, We Can’t Patch the Human

All of these attacks make the end-user an active participant in their own victimization.

What are defenders to do about all of this?

Block copy from the browser? Warn on every paste into a sensitive context? Introducing friction would be annoying — 99.99% of the time, nothing bad is happening, and the user is pasting trustworthy or harmless content.

Mark of the Web – Clipboard Edition?

If you squint at it, this problem is somewhat like the problem of Windows Security Zones — Windows wants to apply additional scrutiny to files from the Internet, but as soon as you download a file, that file is no longer “on the Internet” — it’s on your disk.

Way back in 2003, Windows invented the “Mark-of-the-Web” which marks a file as having originated from the Internet, storing information about its origin in an NTFS Alternate Data Stream named Zone.Identifier:

While the Windows clipboard does not today have the exact equivalent, several analogous features do exist. In the Windows Vista era, a new format was added to the clipboard to reflect that the clipboard’s contents came from a Low IL page.

Starting with an Internet Explorer 9 update in 2011, an additional data format named msSourceUrl was added to the clipboard containing (in UTF-16) the source URL:

Much more recently, Chromium implemented a similar concept, originally for DLP purposes, as I understand it. In modern Chromium, when you copy text from the web, the clipboard now contains an additional data format called Chromium internal source URL that indicates from what URL the content was copied1.

Firefox has a similar format, text/x-moz-url-priv:

An application which wishes to protect itself from potentially untrusted clipboard data can check for these data formats, and if found, call Windows’ MapURLToZone API on the URL to determine what security zone the clipped text belongs to, prompting the user if needed.

Update: For my first foray into “vibe coding“, I worked with Google Gemini to build this tiny C++ app that examines text copied from browsers. I wrote a blog post about vibe-coding with Google Gemini here.

-Eric

1 When drag/dropping data (e.g. links or text), Chromium puts the source origin (not the full URL) in a different clipboard format, named chromium/x-renderer-taint.

Authenticode in 2024

My 2021-2024 Authenticode certificate expired yesterday, so I began the process of getting a replacement last week. As in past years, I again selected a 3 year OV certificate from DigiCert.

Validation was straightforward. After placing my order, I got a request for high-resolution photos of me holding my ID (I sent my passport and driver’s license). Then, a verification Zoom video call was scheduled (they had tons of slots open, I did mine when I was free at 10:30PM) where I showed the validator my ID and signed the attestation forms with them acting as a witness. I scanned the completed forms to a PDF and emailed it to the validator.

In 2023, the Baseline Requirements for code-signing were updated to require that all code-signing certificates be stored on hardware to limit theft and abuse. I’ve been storing my code-signing certificates on a hardware token since 2015 or so, and using a YubiKey 4 since 2016. However, Digicert now seems to require a new token, either a SafeNet eToken or a Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM. As far as I know, my YubiKey4 doesn’t qualify, so I ticked the option to have them send me a new SafeNet eToken 5110 CC for $120. (There are probably places to get this less expensively, but I didn’t want to fuss over it.)

A few days later, my new token arrived:

I popped it in my PC, installed the two Windows apps that DigiCert directed me to install, generated my new certificate, and set a new PIN. The process took perhaps fifteen minutes.

I uninstalled my expiring certificate from my Windows certificate manager (since it has the same Subject Name as the new one) so I would not need to make any changes to my build and sign batch script:

@title FiddlerImportNetLog Builder
@cd C:\src\FiddlerImportNetLog\installer
@C:\tools\signtool sign /as /d "Fiddler NetLog Importer" /du "https://textslashplain.com/" /n "Eric Lawrence" /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 C:\src\FiddlerImportNetLog\FiddlerImportNetLog\bin\release\FiddlerImportNetLog.dll 
@filever C:\src\FiddlerImportNetLog\FiddlerImportNetLog\bin\release\FiddlerImportNetLog.dll > Addon.ver
@C:\src\NSIS\MakeNSIS.EXE /V3 FiddlerImportNetLog.nsi
@CHOICE /M "Would you like to sign?"
@if %ERRORLEVEL%==2 goto done
:sign
@C:\tools\signtool sign /as /d "Fiddler NetLog Importer" /du "https://textslashplain.com/" /n "Eric Lawrence" /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 FiddlerImportNetLog.exe 
@if %ERRORLEVEL%==-1 goto sign
@:done
@title Command Prompt

I took the opportunity to stop adding an additional signature that uses SHA1, since there’s no reason why you’d want to run this app on Windows XP (which didn’t support SHA256).

Sign Everything You Ship

In past years, it was common to simply sign your application’s installer, main executable, and anything that required elevation to run as Administrator — the three contexts in which signatures were most commonly checked by various components of the system (e.g. the Shell, firewalls/security software, and the UAC Elevation dialog). For the most part, other signatures were not automatically checked by the system (the fact that AV software is constantly looking at file signatures was basically invisible).

Things have changed with the start of the rollout of Windows 11’s Smart App Control feature.

Rather than just checking the signature of your installer, a system with SAC enabled will now check the signature on every executable module your program loads. If a signature is not found, an reputation check is conducted against the Defender File Metadata Service. If a positive reputation isn’t found, the module load is blocked.

You can see this at work when installing an old utility app I built, MezerTools. This product contained one unsigned DLL I knew about — docker.dll, a DLL that implements a feature to allow users to double-click any window’s edge to “grow” it to the corresponding edge of the screen. Because this DLL is unsigned, it fails to load, and the Bad Image notification dialog is shown.

Two SmartAppControl Failures

In the blocking dialog, two different Error Status codes are common:

  • 0xc0e90002 – Unsigned and no positive reputation
  • 0xc0e9000a – Unsigned and reputation service unreachable

Beyond that expected failure for docker.dll, there’s another one I didn’t anticipate, visible only in the notification toast shown by Windows complaining about System.dll. My app doesn’t install a System.dll, but the Nullsoft Install System I use to install MezerTools will try to drop its own System.dll to a temporary folder during install if your installation script uses certain NSIS functions (in my case, computing a folder’s size). Because the NSIS DLL isn’t signed, it is blocked and my API calls in the script will fail.

There’s a third failure not seen until the user tries to uninstall the app. The Uninst.exe uninstaller that Nullsoft automatically generates isn’t signed and can be blocked by SAC:

Due to how uninstall works in Windows, the failure is reported for “COM Surrogate”

The install script compiler writes its uninstaller directly into the built Setup.exe, making it easy for the developer to forget about. Even if they remember the uninstaller, how can they sign it?

Fortunately, the developers of NSIS have already solved that one by introducing the !uninstfinalize command. This command enables the developer to sign the uninstaller generated by NSIS before it is embedded into the installer.

Azure Trusted Signing

Beyond getting a certificate from a third-party CA, Microsoft now offers its Azure Trusted Signing service in Public Preview. With Azure Trusted Signing, your private key is stored securely in a security module in the cloud and used to sign your binaries. You can integrate your local signing processes with Trusted Signing and integrate signing into cloud build processes on GitHub and the like.

This is a cool approach and widely considered to be “the future,” but it’s overkill for my needs, and I do all of my builds on my local PC. I like the idea that anything bearing my digital signature is something that I literally/virtually had my hands on (by plugging my token into my PC).

Beyond that, Azure Trusted Signing is not presently available for individuals or legal entities younger than three years old. They do expect to relax that at some point in the future, so check back here for an update when I next need a certificate in 2027. :)

Special Circumstances

For most scenarios, any certificate that chains to a trusted root in the Microsoft Root Certificate Program will be acceptable for Windows scenarios. There are a few special exceptions however.

EV Certificates for Drivers

If you wish to sign a driver or other Windows component, you must use an Extended Validation Certificate. EV certificates require additional vetting as to the identity of the publisher and are not generally available to individuals. Notably, as of 2019, using an EV certificate no longer automatically grants your code “initial trust” by SmartScreen Application Reputation.

Secure Enclaves

Windows 11 allows 3rd party developers to build code that runs inside a Secure Enclave (I’ve written about Enclaves recently). In order to load code within an enclave, the signing certificate must have specific flags set. Those flags are only respected when the signing certificate is from Azure Trusted Signing.

DRM and Security Software

Various DRM and security features in Windows have niche signing requirements. For example, see this document for requirements about how anti-malware code is signed.

Attack Techniques: Remote Control Software

In yesterday’s post, I outlined the two most successful (and stupid simple) attack techniques that you might not expect to work (and you’d be so very wrong):

  1. “Please give me your password.”
  2. “Please run this file.

Today, let’s explore number 3: “Please give me control of your computer so I can, uh, fix it?

In this attack, an attacker convinces you that there’s some problem with your computer, your bank account, or something else, and to fix that problem you will need to allow them access to your computer. The Security industry tends to name this Remote Monitoring and Management software scam.

The attacker might start out by sending you SMS text messages or email telling you of a problem, or you might be tricked into calling the attacker when visiting a website takes over your entire screen and blares out a notice saying that “Microsoft” needs you to call them immediately.

Or, the attacker might sign your email address up for a ton of spammy mailing lists, then call you “from your IT department” with the pretext of needing to remotely control your PC “to fix the broken spam filter.

Once the attacker has you on the hook, they make their move, asking for access to “fix the problem.” The attacker promises “Don’t worry! You can watch everything I’m doing.”

While sometimes the attacker ask you to download some free (and otherwise legitimate) remote control software, lately attackers have been just getting Windows victims to activate the built-in QuickAssist feature included with Windows 10+. Unfortunately, QuickAssist (and similar software) gives the soon-to-be victimized user very little indication of the tremendous risk they’re facing.

I’ve proposed an improvement:

The victim, baited hook already in their mouth and not seeing any clear alternative, figures “Well, they said they’re from my bank or Microsoft, so they are the good guys, right? And they said that I have to act right now or I’ll lose everything! I guess I’ll just watch them very closely.

Unfortunately for the good people of the world, bad guys need very little skill to be evil while you watch. The attacker follows a script to show you various innocuous-by-scary-seeming information on your PC, lies to you about seeing a major problem that they need to fix, convinces you to push the button to hand over control, and then downloads and runs various malware tools that immediately steal all of your passwords, drain your accounts, and steal and encrypt your files[1]. If your computer has access to a network (e.g. your company), they’ll begin attacking that network using your identity.

What can you do about this scam?

Tell your friends and family that they should never allow anyone they do not personally recognize access to their PC, for any reason. They should never trust emails or SMS messages they receive to be genuine, and should verify any information they receive by calling their financial institution directly, using the contact phone number on their bank card or statement. Microsoft will never call you.

-Eric

[1] An almost completely accurate depiction of this attack can be found in the recent thriller “The Beekeeper.” Unfortunately for the good guys, Jason Statham isn’t waiting on standby to go avenge victims of this all-too-common scam.

Attack Techniques: Full-Trust Script Downloads

While it’s common to think of cyberattacks as being conducted by teams of elite cybercriminals leveraging the freshest 0-day attacks against victims’ PCs, the reality is far more mundane.

Most attacks start as social engineering attacks: abusing a user’s misplaced trust.

Most attackers don’t hack in, they log in. The most common cyberattack is phishing: Stealing the user’s password by asking them for it.

The next most common Initial Access Vector is socially-engineered malware: sending the user a malicious file and asking them to open it. When the malicious file runs, it disables security defenses, downloads more malware, and begins stealing data and performing other malicious activities.

Attackers have many choices for deploying their malware — on Windows, they can write evil executable files (.EXE, .SCR, .COM, etc) or installers (.MSI, .MSIX, etc).

However, for simplicity and compatibility reasons, one of the most common initial access choices for attackers is a file targeting the legacy scripting engines (.JS, .VBS, .HTA, .WSH).

Legacy Script Engines

These scripting file types, created alongside Internet Explorer in the 1990s, have been supported for almost 30 years now, and they still work on the latest versions of Windows. Unlike JavaScript running in your browser, these file types run outside of your browser, with no sandbox constraining their ability to reconfigure your system and steal your files.

  • JavaScript running in Chrome or Edge cannot read a file from your desktop without your explicitly selecting that file, whereas JavaScript running inside wscript.exe can read every file from your desktop, download and run any program without any prompts, and so forth.
  • VBScript no longer runs in browsers, but the Windows Scripting engines (cscript.exe and wscript.exe) are perfectly happy to run VBS files and provide full access to your system.
  • You can think of a HTA file as a prehistoric Electron app — it’s basically Internet Explorer with no sandbox and all of the security features turned off.

This level of power is, in a word, totally 🍌bananas🍌.

Why does it still exist?

Legacy compatibility.

User Experience

In Edge, the .HTA file type is marked as DANGEROUS and thus HTA downloads are blocked by default:

…but even blocked files can be sent to the user inside an archive (e.g. a ZIP File) and the user need only open the ZIP to be able to get at the HTA within.

In contrast, Chrome treats the HTA type as ALLOW_ON_USER_GESTURE and does not block .HTA downloads:

Reading the source, you can see that Chrome does not treat any of these file types as dangerous:

file_types {
  # HTML Application. Executes as a fully trusted application.
  extension: "hta"
  platform_settings {
    platform: PLATFORM_TYPE_WINDOWS
    danger_level: ALLOW_ON_USER_GESTURE
  }
}
file_types {
  # JavaScript file. May open using Windows Script Host with user level privileges.
  extension: "js"
  platform_settings {
    platform: PLATFORM_TYPE_WINDOWS
    danger_level: ALLOW_ON_USER_GESTURE
  }
}
file_types {
  extension: "vbs"
  platform_settings {
    platform: PLATFORM_TYPE_WINDOWS
    danger_level: ALLOW_ON_USER_GESTURE
  }
}

After you click open, the only thing standing between your PC and the potentially malicious code is a 2003-era security prompt:

After the file starts running, your security software may be able to catch malicious behavior at runtime using a feature called the Antimalware Scan Interface, but I wouldn’t bet my PC on it.

A Smarter and Safer Future?

The new Windows 11 Smart App Control feature dramatically reduces the threat of an attacker sending the victim a simple script or batch file that takes over their PC. A wide swath of file types, including scripts (.js,.vbs,.hta,.ps1), batch commands (.bat,.cmd) and numerous other dangerous types are blocked from running if they came from the web.

Mitigations

You can easily block attacks against the legacy scripting engines today. There are numerous ways to do so, but perhaps the simplest approach which blocks browser and email attack vectors is to point the file types at a safe application (e.g. Notepad).

To do so, simply open the Windows Settings’ app and navigate to Choose defaults by file type. Search for a type:

Click the arrow icon, scroll the app list to pick a safe handler, then click Set default:

After fixing VBS, fix the other types:

In the unlikely event that you ever need to run one of these files inside its original handler, you can easily do so from the command line. Just run e.g. mshta.exe theApp.hta or cscript.exe myScript.js to run the file.

Blocking HTA Files

HTA Files are such a longstanding security problem that there’s a simple Group Policy (backed by a registry key) that blocks running them. From an elevated command prompt, run:

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Hta" /v "DisableHTMLApplication" /t REG_DWORD /d 1 /f

…or create the key yourself using regedit.exe:

After doing so, double-clicking on a HTA file will silently do nothing.

Stay safe out there!

-Eric

Spring 2024 Updates

After a slow and painful 2024 Cap10K, I ran the HEB Sunshine Run 10K on May 5th in 1:05:53, just 22 seconds faster, but without pain or surprises. After months without running several hours per week, my fitness has definitely fallen off a cliff. I either need to get back to the treadmill or restart the bike. Or maybe the rower? I’ve been feeling both busy and lazy.

The afternoon after the Sunshine Run, my sons and I adopted two 6mo kittens, eventually settling on the names Luna and Tigra. They’re super-cute and lots of fun. I would wish that I’d gotten a new cat sooner (I had promised my kids Thanksgiving 2021), except that these two are so wonderful that I’m glad I waited.

I need a big trip to look forward to. Originally, I thought this was going to be Aconcagua, but it’s a three+ week commitment and that seems like it would be hard to swing for work. I’ve back-burnered Aconcagua now, thinking that I will perhaps try to do it if I make it to 2028 at Microsoft, when I’ll be eligible for an 8-week sabbatical. I may still take a short trip up Mount Shasta in Spring 2025, a leftover step in my plan to train (and learn/test gear) for Aconcagua.

With Aconcagua out, I need another big plan, and I’ve settled on doing Kilimanjaro again, this time the northern “Grand Traverse” route to see some new trails and to enjoy a slightly fancier tent. I’ll be going with a friend the last week of 2025 — plenty of time for us to get in shape. And get in shape I must, because I’m currently signed up for the Dash Dash 10K and the Run for the Water 10 Miler this fall, and the 2025 3M Half Marathon, 2025 Cap10K, and the 2025 Galveston Marathon. I think it’s unlikely that I’ll (ever) be in full-Marathon shape, so my current plan is to run the first half and speed-walk the second. :)

In terms of family trips, this summer I’ll be going on a cruise to Bermuda, Bahamas, and Royal Caribbean’s private island waterpark with my kids, parents, and brother’s family. It’s a 9-day voyage on older and smaller ship, so we’ll have to entertain each other. :)

ERR_BLOCKED_BY_CLIENT and HTML5 Sandbox

Recently, many Microsoft employees taking training courses have reported problems accessing documents linked to in those courses in Chrome and Edge.

In Edge, the screen looks like this:

But the problem isn’t limited to Microsoft’s internal training platform, and can be easily reproduced in Chrome:

What’s going on?

There are a number of root causes for an ERR_BLOCKED_BY_CLIENT message, and the most common root cause is that you’ve installed a content-blocking extension (e.g. an ad-blocker) and it directed the browser to block the page.

But that’s not what’s happening here — we saw this on machines without any content blocking extensions.

What’s happening here is that the PDF viewer is blocked from loading because the new tab was created as a popup under the restrictions of the HTML5 Sandbox. The sandbox rules applied to the new tab include prohibitions on script and extensions, and Chromium’s PDF viewer requires both. So, the user ends up with a totally inexplicable blocking page.

Refreshing the page will not fix it, and shockingly, even navigating the tab to a different, non-PDF URL, will still likely result in failures (either script won’t run, or the page will not load) because the sandboxing limits are not removed upon manual navigation. For instance, Twitter refuses to load:

Twitter shows ERR_BLOCKED_BY_RESPONSE due to its use of Cross-Origin-Opener-Policy

As an end-user, the workaround is easy: Copy/paste the URL from the broken tab to a new one and your document will load just fine.

As a web developer, to avoid creating unexpectedly impaired tabs, you must set the allow-popups-to-escape-sandbox flag; when you do so, new windows will not be restricted.

A quick look showed that our company training app specifies this flag, but the new tab was still impaired.

What gives?

A deeper look showed that the training app contains nested sandboxes — while an inner iframe includes the allow token, that iframe’s parent does not have the token.

The grandparent’s restriction on its child also restricts its grandchild:

Perhaps the Chromium dev tools should warn if a child iframe‘s sandbox directive specifies permissions that that will be denied by the grandparent’s restrictions on the parent?

Mouse Gestures in Edge

Over twenty years ago, the Opera browser got me hooked on mouse gestures, a way for you to perform common browser actions quickly. After I joined the IE team in 2004, I fell in love with a browser extension written by Ralph Hare and I later blogged about it on the IEBlog and helped Ralph get it running in 64bit IE.

Many years passed. By 2015, I had abandoned the outdated IE and moved to Chrome fulltime. When I joined the Chrome team in 2016, I was heartened to note that mouse gestures were one of the very few features slated for inclusion in the first version of Chrome. They were repeatedly postponed and eventually cut, with the idea that perhaps a browser extension was the way to go. I installed the most popular Mouse Gestures extension from the Chrome web store only to later discover that it was sending my browser traffic to a questionable server in China. I uninstalled it and reported it to the Chrome Web Store folks who delisted it. Apparently a while later they slightly reduced the data leakage and got it back up on the Web Store, and in 2019 a new hire PM lead on the Edge team suggested we all install it. I took a look at what it was doing and found that it was still engaged in questionable privacy practices. Bummer.

Fast forward to earlier this year, when I discovered that the Edge team has landed gestures in Edge on Windows! I was excited to see the implementation, and feel like it’s one of several features that makes Edge feel like it’s a batteries-included browser. (Unfortunately, this feature presently seems to be Windows-only. If you’re using a Mac or Linux, you should click the menu … >Help and Feedback > Send Feedback to ask for it.)

Dozens (hundreds?) of times a day, I enjoy the satisfaction of closing browser tabs by right-click-drawing a “L” on them.

To enable Mouse Gestures support in Edge, simply visit edge://flags/#edge-mouse-gesture and enable the feature:

After you restart the browser you can go visit the edge://settings/mouseGesture page to configure them:

Don’t worry about memorizing a ton of shortcuts — I really only use two: back (right-click+left-drag) and close tab (right-click+DrawL).

I smile every time this works, and every time I test something in Chrome I lament their absence.

-Eric

PS: Besides support for Mac OS, one other missing feature I’d love to see is the ability to bind a gesture to an extension or JavaScript-bookmarklet. That would allow me to recreate one of my other IE-era gestures– I could waggle my mouse to run a JavaScript which would remove all ad-like elements from a page.

Going Electric – Solar 1 Year Later

In March of 2023, I had an 8kw solar array installed and I was finally permitted to turn it on starting April 21, 2023.

My pessimistic/optimistic assumption that my buying an expensive solar array was going to be the trigger for technological breakthroughs in solar technology that rendered my panels obsolete wasn’t entirely unfounded. Sure enough, shortly after the install, I started hearing more and more about promising next-generation ‘tandem’ solar cells that will deliver even more power. You’re welcome. Still, those new cells are probably still at least a few years away from broad production, and staying out of the market for another decade didn’t feel like the right choice for me.

The summer of 2023 was a hot one, but my panels achieved one major goal I had in buying them — I stopped cursing the sun on clear summer days.

But how’d I do against the sales pitch from the installer?

Well, not great. The solar installer estimated that I would produce 11.27MWh in my first year. I came in a bit lower than that, producing 10.7MWh, a 5% shortfall. While I never expected the nominally 400W panels to produce at their max for much of the day, they’ve never hit anything close to that (my “8KW” array peaks at 6.4KW).

In the first year, the best panel outperformed the worst by 10%.

I also consumed almost 3MWh (38%) more than expected for the year. Of that excess, my Nissan Leaf explains about half (1.5MWh) for the 6700 miles I’ve driven since I installed the panels.

It looks like peak daily production was 48.4KWh on my 9th day of ownership, although I was hitting 40KWh/day for most of the summer. While Austin’s scorching summer days make the panels less efficient, the longer daylight hours and fewer clouds meant that I hit 1.2MWh/month for July and August.

Over the summer months, you can see the big deficit as the air-conditioner works overtime, but over the winter and spring you can see the solar production outpacing consumption (heating is via natural gas):

My lowest consumption day of the year was 6.1KWh (no one was home).

The most fun part of the system is getting negative bills for electricity:

My panels saved me about $1060 ($.0991/KWh) in the first year, making for a pretty long payback period. I’d initially expected the system, post-credits and deductions, to cost $15000, but it turns out that you have to deduct your utility incentives from the cost against which you’re getting a Federal tax credit, so my $2500 Austin Energy incentive reduced my federal credit down from $7470 to a still-respectable $6720.

So, after credits, my Final Installation Cost was $15,680, leaving a payback period of 15 years. Not awesome, but again, the major goal I had in buying solar was that I stopped cursing the sun on clear summer days.

The Enphase monitoring site says that my 10.7MW/h production has saved 7.6 Tons of CO2, or 128 trees.

Thoughts On Batteries 🔋

When I installed my system, I opted not to buy the battery backup system for the house despite the fact that it meant I’d miss out on the federal tax credit available only when solar is first installed. I reasoned that the battery system would itself cost $1000 per year, and in ten years in Austin I have only lost power for a few days. Besides, battery technology is widely expected to continue to improve with every passing year, and hopefully soon using electric cars’ batteries as home backup will become commonplace (even my Leaf’s tiny battery is 40KWh, twice the capacity of a large home system).

Shortly after that decision to forgo the battery, we had our longest-ever power outage, 56 hours, and I wondered whether I’d made a mistake. Ah well.

Before the winter storms of 2024, I bought a 768Wh power station for $475 and predictably (given my luck) the power company managed to keep the power on throughout this year’s storms.

What’s Next? ⚡️

I’d heard great things about induction cooking, so I decided to dip my toes in with a portable cooktop. I like it a lot — it’s convenient and super-fast for boiling water for HelloFresh meals. I’d like to replace my entire stove, but I will likely need an electrical panel upgrade to do that, since my current panel is already at capacity with the car charger.

In the next few years, I’d like to get rid of natural gas entirely (my monthly bill is $26 even if I don’t use any gas). My water heater will age out first and I’ll likely replace it with a hybrid. The big lift will be replacing the heating and air conditioning with a heat pump — bizarrely, these are not yet common in Texas, but they make a lot of sense in this climate and the new federal incentives should help reduce the costs somewhat.

June 2024 Update

My system stopped reporting its power production to the Internet portal on May 7th, 2024. My support ticket with Native Solar got no response for a few weeks, and my DIY attempt to manually reset the Enphase gateway didn’t help. Fortunately, from the credit on my power bill, it looks like the panels are still producing as expected. A month after the outage began, I nagged them again and Native Solar told me that for a $300 fee they’ll come out and troubleshoot the system for up to an hour, something I would’ve assumed would be covered under the warranty. Suffice it to say, I don’t have a very good opinion of Native Solar any longer. :-( After a few easy email exchanges, Enphase sent me a new WiFi connector module, and on August 15th I finally had Native Solar come out to install it. Next, I find out whether Enphase’s reimbursement program will reimburse me for the installation.