Archive

Archive for the ‘Software’ Category

“It Just Works” vs. Security

May 1, 2014 Comments off

I have written before about the “it just works” problem: Training people to expect not to need to think about their technology gives rise to the self-fulfilling prophecy that most people can’t think about technologyThe usual problem with the “it just works” attitude, namely the users being completely lost as soon as something doesn’t work, is at least something that people recognize as a problem once it occurs. When something doesn’t work, they know it doesn’t work, and they know that they don’t know why it doesn’t work or how to fix it. However, the same attitude creates another problem that’s more difficult to recognize: A lack of security. Non-tech-savvy users not only do, but are encouraged to do, some rather unsafe things in the name of having everything just work.

To be a bit more specific, the problem is that people end up being compromised because they don’t know to take simple precautions or treat things they find online with an appropriate amount of suspicion. As a normal part of browsing the Web, people allow—without even realizing it—dozens of JavaScript scripts, Java applets, and Flash (and occasionally Silverlight) objects to run without their knowledge or consent. A large portion of these pieces of software are not even hosted directly on the sites users are trying to view, but pulled in from somewhere else, whether to add functionality (like blog comments, social media widgets, or embedded videos), to show ads, or just to track users (which, of course, pretty much all of them do). Users have no way of knowing whether some kind of malware has been inserted into the chain, something that has been known to happen even to perfectly legitimate Web sites.

A related issue is that people click without reading or thinking, don’t know enough to understand that it’s a problem that their homepage has suddenly switched to some search engine they’ve never heard of, and can’t figure out why their computers are so slow. Between deceptive “ads” that look like download buttons and installers for legitimate programs also installing “legitimate” (or at least nominally legal) adware and spyware if you’re not extremely careful, it’s easy to get tricked into installing something unwanted.

Of course, it’s a long-standing piece of security advice that if you let others run arbitrary software on your computer, it’s not your computer anymore. It’s just that most people don’t realize this and often don’t even realize that they’re letting people run arbitrary software on their computers. After all, it tends to happen completely transparently in the course of normal Web surfing.

What gets me is that people do know better. Technology is the only area of life I can think of where we let people get away with this.

Think about this: Just about everybody knows to lock the doors to their houses. They may not always do it, but they know they’re supposed to do it. It’ the same with cars: People know to turn them off, take the keys out, and lock the doors. Most people know better than to leave the car unlocked and running in the parking lot while they go shopping, because if they do, it probably won’t be there when they get back. And they certainly wouldn’t hand over their keys to anyone and everyone who asked for them. Yet pretty much any site on the Web can ask for something very nearly equivalent to that, and by default, the browser will allow it.

Admittedly, I may be making the problem sound worse than it is. Most of the software that is run in this manner is perfectly harmless, or at least not doing anything more harmful than tracking users to show them targeted advertisements. Moreover, at least in theory, there are limitations in place to keep these kinds of software from being able to do too much damage. However, I strongly recommend against depending on this. Most people probably wouldn’t let just anyone do just anything to their cars, even if they trusted the one doing the tinkering not to do anything deliberately harmful and trusted the car to limit the damage.

So why is that people take risks with their computers they wouldn’t take with their cars? I still think that it’s mainly a desire not to have to think about technology in order to make it work. That sounds like I’m accusing people of laziness, and maybe laziness is probably a part of it, but I actually can’t blame anyone for feeling that way. For one thing, security is an intimidating topic, whether you’re talking about computer security or any other kind. Blocking potentially harmful elements isn’t exactly trivial, either. (Firefox, for instance, doesn’t even allow JavaScript to be disabled from the Options menu anymore, for fear that a user will unwittingly “break” something—another example of the self-fulfilling prophecy.)

Additionally, there’s an education problem: People can’t understand the risks involved with using the Web unless someone explains it to them. After all, just surfing the Web while not deliberately blocking anything doesn’t sound any more risky than going out in public and walking around. Yet it seems to me that the industry doesn’t make much of an effort to explain it, and they probably won’t because it’s not in tech companies’ best interests. Vendors are too invested in their mythical ease of use to admit that using things safely requires a little time and effort to be spent up-front. Moreover, they face a lot of pressure from (or, in some cases, are) advertisement companies that have a financial interest in being able to track users to show them targeted ads.

After all this, what would I have people do? First, and foremost, I urge people to take some time to get a basic understanding of how the Internet works and what kinds of dangers it presents. This burden can’t rest completely on the shoulders of non-technical end users; people who already have in-depth understanding need to be able to explain it simply and quickly. After that, I recommend sticking to the principle of not letting anything run on your computer unless you know what it is and you know you need it. Makers of Web browsers (and other software) ought to make this easier than it is, but it will still take some time and effort. Tools like AdBlock Plus, NoScript, and Ghostery can be helpful here, though even they shouldn’t be trusted implicitly.

Nothing I’m suggesting is fool-proof, of course. The vast majority of computer users aren’t going to become security experts, and it would be wrong of me to expect them to. Computer security is really hard to understand, and even harder to implement correctly. However, I would argue that the same is true of physical security, and that doesn’t stop people from taking basic precautions. After all, people haven’t given up on locking their car doors just because smash-and-grab theft is possible.

Here’s the bottom line: People should be willing to spend the time, thought, and effort to use their technology safely, and using technology safely shouldn’t be as time-consuming, confusing, and difficult as it often is.

Advertisements
Categories: Security, Software Tags:

Forgetting Wireless Networks In Windows 8.1

March 30, 2014 Comments off

One of the problems with Windows 8 is that it hides important functionality. For instance, Windows 7 had a useful “Manage Wireless Networks” section of the Network and Sharing Center, but that was removed in Windows 8. The ability to delete a saved wireless connection did remain, albeit only when the connection showed up in the network list, where you could right-click it to delete it. Then Windows 8.1 came along and removed even that feature.

The good news is that the command-line utility netsh can still be used to forget the networks. You can type netsh wlan show profiles to display a list of saved networks, and netsh wlan delete profile name="profilename" (where profilename is the name of the saved network connection) to forget one. See Ciprian Adrian Rusen’s post on 7 Tutorials entitled How to Delete or Forget Wireless Network Profiles in Windows 8.1 for more details. That’s not much consolation, however, for users who aren’t comfortable using the command line.

To help mitigate this problem, I put together a batch file that acts a bit like a wizard to automate the process. It starts by displaying the list of profiles, asks the user whether to delete a profile, and prompts for the name of the profile to delete. It’s nothing fancy, but it might be easier to double-click a batch file and follow instructions than remember the netsh command.

A couple of caveats: First, I generally recommend against running just any batch file you found on the Internet unless you’ve had a chance to look it over and have at least some understanding of what it’s doing. That’s part of the reason that I’m not offering a separate download: If you copy-paste the code yourself, at least you know I didn’t slip anything in there that wasn’t in this post for everyone to see. Second, I’m offering this with absolutely no warranties whatsoever (see disclaimer below). I’m not sure what could go wrong, except maybe deleting a profile you didn’t mean to delete, but it wouldn’t be the first time I made something that failed in ways I didn’t think it could.

Here’s the code:

@echo off

:BEGIN

echo Listing saved wireless network profiles...
netsh wlan show profiles
set /p deleteconf="Delete a profile (Y/N)? > " %=%
IF %deleteconf%==Y ( goto DELETEPROMPT ) ELSE (
    IF %deleteconf%==y ( goto DELETEPROMPT ) ELSE ( goto END )
)

:DELETEPROMPT

set /p ssid="Delete which network? > "
netsh wlan delete profile name="%ssid%"

GOTO BEGIN

:END
echo Exiting.
pause

Just copy the above code and paste it into a text editor such as Notepad, then save it as something with the .bat extension. (When saving, make sure you set the “Save as type” field to “All files (*.*)” or else you’ll end up with a plain text file.) Double-click the batch file to run it. It will start by showing you a list of saved wireless network profiles. It will then ask whether you want to delete one. Type Y and hit enter, then type the name of the profile you want to delete and hit enter again. Repeat until you’re finished deleting networks, then type N at the prompt to exit.

Screenshot of the batch file running

Feel free to use and distribute this however you please. I’m not going to bother formally open-sourcing it because I don’t think there’s enough to it to warrant including a license longer than the actual code. However, I am going to borrow the disclaimer from the BSD license (which, according to Wikipedia, is public domain, so copy-pasting it here shouldn’t be a copyright issue).

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Lest there be any confusion, “This software” means only the batch file itself, since of course I don’t own netsh itself, and “the copyright holders and contributors” just means me in this case.

I hope someone out there finds this useful.

Functionality hidden behind badly named settings

December 28, 2013 Comments off

One of the things that annoys me the most about software is stupid usability issues.

For instance, when you see a checkbox on an options page with the label, “check my spelling as I type,” what do you think it does? I think it’s a reasonable assumption that it refers to the automatic spell-check that puts squiggly red lines under any words that the spell-checker doesn’t understand. After all, that is the spell-checking that occurs “as I type.”

Screen shot of Windows Live Mail options, including "Check my spelling As I type" checkbox

“Check my spelling as I type” in Windows Live Mail options

Screen shot of the new message window with a misspelled word underlined in red

Automatic spell-check underlining a misspelled word

In reality, however, that checkbox controls more than just the automatic highlighting of misspellings. Unchecking it also disables the on-demand spell check that would normally be available from the menu bar. The button that normally activates the spell check is grayed out.

Screenshot of new message window's with Editing menu open and spell-check icon enabled

Editing menu with the spell-check icon enabled when “Check my spelling as I type” is selected

Screen shot of Editing menu with spell-check icon disabled

Editing menu with the spell-check icon disabled when “Check my spelling as I type” is cleared.

The problem is not simply that the description is unclear. As I said before, it seemed extremely clear that the checkbox enables and disables the spell-checking that occurs as the user types. The problem is, that’s not what the setting actually does.

A simple solution would be to rename the setting to “Enable spell-checking” or something along those lines. More usefully, the setting could be modified to do what it says, and a separate setting could be provided to turn the on-demand spell checker on and off. I honestly don’t know why they share the setting in the first place.

Hat tip to the user poor1 at ComputerAct!ve forums for posting the solution to the grayed-out spell-check problem.

Categories: Software, Usability Tags:

How Does Firefox Protect Users’ Privacy?

October 31, 2013 Comments off

Mozilla seems to be making a big deal out of how Firefox protects its users’ privacy. I wondered if there was anything to that, or if it was just a bunch of Scroogled-style hype.

My curiosity was first piqued when a comment on an short piece about invasive advertising gave a link to the YouTube video Firefox Paranoia:

Well, you know how one YouTube video leads to another. One of the related videos was Firefox Squares:

In case you don’t feel like watching it, here’s the gist of “Firefox Squares”: When you surf the Internet, sites you visit keep track of you and sell information about where you’ve been to advertisers. Because Mozilla is a non-profit organization, however, Firefox protects your privacy.

Did you catch the non-sequiturs there? Just because the Mozilla Foundation is a non-profit doesn’t mean it’s not interested in making deals with big advertisers. For instance, they make a lot of their money from their deal with Google to make Google Search the default. Google, of course, is one of the biggest ad companies around, and it’s not like Google doesn’t do tracking.

There’s another non-sequitur, though: What does the browser have to do with the behavior of the sites you visit? The only way that makes any sense is if the browser comes with some kind of built-in tracking protection. However, that doesn’t seem to be the case. The best I could find so far is a list of “Advanced Security” features on the Firefox Features page, but for the most part, these features are not likely to be useful to an average user in preventing the kind of tracking mentioned in the video. Furthermore, they tend not to be unique to Firefox, which undermines the “switch to Firefox” message of the video. Here are the listed security features, along with my notes:

  • “Instant Web Site ID”: This is the popup with extra information about a site’s SSL certificate. Chrome has this, too and even IE has a version of it. Both browsers are made by for-profit companies.
  • “Content Security Policy”: The blurb isn’t helpful, but a Mozilla Security Blog post about Content Security Policy explains that it’s basically an anti-XSS measure that allows sites to send an HTTP header specifying what kinds of content may be included in a page. Of course, the same post says that Chrome and IE also support the header; in fact, it’s a W3C specification.
  • “Customized security settings”: Judging by the fact that the “Learn More” link took me to the “Security and passwords settings” page, this seems to mean only that Firefox will let you choose whether to save passwords for certain sites and add exceptions to allow sites to install add-ons. This, of course, has nothing to do with tracking cookies.
  • “Parental Controls”: Firefox enforces the parental control settings entered in Windows. I was under the impression that Windows handled that on its own without depending on the browser, and the Firefox Support page on parental controls does nothing to persuade me otherwise.
  • “Secure Updates”: Downloads updates for itself and its add-ons over an encrypted (https) connection. This has nothing to do with tracking.
  • “Private Browsing”: A separate mode that avoids saving history and cookies. Not hanging onto the cookies does help, but it’s not fool-proof because there are plenty of other ways to track you. Besides, The page that explains the feature in detail even admits that “Your Internet service provider, employer, or the sites themselves can still track what pages you visit.” The feature is less about tracking than about protecting your privacy on a shared computer (and it’s far from fool-proof even then, but it’s a start). What’s more, for-profit browsers IE and Chrome have equivalent features.
  • “Anti-virus integration”: This is a handy feature, but recent versions of Internet Explorer do it, too. It appears that Chrome does as well. So again, there’s no differentiation from the for-profit browsers.
  • “Clear Recent History”: Like private browsing, this feature is geared toward protection against snoops rather than online trackers.
  • “Anti-Malware”: The browser stops you from going to known malicious Web sites. Again, so does the competition.
  • “Do Not Track”: Not only do all major browsers have this feature, but it doesn’t offer any real protection against the kind of tracking in the video. Such tracking is implied to be at least somewhat sleazy if not outright malicious, but even legitimate (and “legitimate”) operations aren’t really obligated to honor do-not-track requests.
  • “Forget This Site”: This is basically a shortcut that lets you delete all information for a given site, rather than deleting history, cookies, and other information separately. It’s yet another feature that protects against snooping, but not against online tracking.
  • “Securing Website Connections”: If I’m reading the description right (and it’s not just a wordy way of saying Firefox supports SSL/TLS), Firefox automatically switches to an https connection when one is available. This feature protects against eavesdropping, not tracking. Advertisements and other content embedded in pages can still be used to track you, and as long as it’s encrypted too, you won’t even get a warning.
  • “Automatic Updates”: First of all, Chrome does this too. So does IE, albeit lumped in with Windows Update. Second, this isn’t really a privacy or security feature unto itself so much as a way to make sure that you get new privacy and security features (including patches for vulnerabilities) when they’re available. Third, and most importantly, this feature can sometimes reduce the security and privacy of the browser: Updates may contain bugs, and they can even contain “features” that reduce privacy, such as when a Firefox update recently removed the ability for normal users to turn off JavaScript using the options window—and re-enabled JavaScript for users who already had it turned off.
  • “Outdated Plugin Detection”: Again, this has little to do with online tracking, though it’s worth noting that exploits in plugins can be vectors for spyware, so it’s not totally unrelated. Chrome does this too.

To be fair, the features page doesn’t claim that all these features are intended to protect users from online trackers, or that they’re unique to Firefox. I listed all of them anyway only for the sake of completeness. My issue is with the video, not the features list. All I’m saying is that switching to Firefox isn’t inherently going to make people safer from online tracking just because Mozilla is a non-profit.

The moral of the story: Don’t use a product just because the company behind it (even a nonprofit) says it protects your privacy. Look at what it actually does.

Categories: Privacy, Software Tags:

FreeFileSync as a Briefcase Alternative

September 24, 2013 2 comments

My post from last December on getting briefcases to work on Windows 8 has gotten a lot of traffic, which makes me feel a little guilty. My experience has been that briefcases on Windows 8 don’t actually work all that well. For one thing, they were painfully slow. Additionally, I’d often run into a bug that made the briefcase think that both versions of some huge number of files (sometimes every file in the briefcase) had been modified, forcing me to click through every single one of them and manually decide which version to keep. Between these problems and the looming threat of the workaround being disabled in future versions, it eventually became clear that I needed to try something else.

The solution I decided on was an open-source (GPLv3) application called FreeFileSync.

In a lot of ways, FreeFileSync works similarly to briefcases. You specify directories to synchronize. The program compares them and shows you a list of which files have changed and what it plans to do to bring the two directories in sync, giving you the opportunity to change the action for each file. Then you click Synchronize, and FreeFileSync updates the files.

There are some differences, though. The first and most obvious is that FreeFileSync isn’t integrated into Windows Explorer like Briefcase is, so you have to open the program each time you use it. This doesn’t bother me, though, since the program is so much faster than briefcases on Windows 8 even with the extra clicks. This can also be an advantage: You can open the program once and run several sync jobs in one session without having to browse to each briefcase in Windows Explorer.

Additionally, FreeFileSync’s file list offers more information and more options for sync actions than a briefcase’s, and is easier to read. The program offers multiple sync options, like “mirror” and “update” in addition to the briefcase-like “two-way” sync. It also displays a graph with detailed information about sync progress, whereas a briefcase only gives you a progress bar. In my experience so far, most of the differences have just been advantages or additional features of FreeFileSync.

Screenshot of FreeFileSync main window

As a replacement for how I used briefcases, FreeFileSync hasn’t given me any major trouble. However, I generally created sync copies of entire directories, not individual files. If your briefcases had sync copies of several files form disparate locations on your hard drive, the transition to FFS may not go as smoothly. You can probably get what you want using filters, though this can be a bit of a pain to set up. Jobs can be saved, so you don’t have to re-enter the filters every time, but I won’t deny that this is still a cumbersome solution, especially if you add and remove files from your briefcase frequently. Whether it’s worth the hassle depends on your needs and how much trouble briefcases are giving you.

Screenshot of FreeFileSync showing filters and multiple folder pairs

FreeFileSync also has a few other features that I haven’t even tried yet. I’m not going to cover them here, since I’m focusing mostly on using FFS to replace the Windows briefcase, but they may be worth checking out. One such feature is the bundled RealtimeSync app, which can watch directories and run a command (generally a saved FFS batch job) whenever it sees a change. Another is the ability to maintain old versions of files deleted during sync, or move them to the recycle bin, instead of deleting them outright.

I’m happy enough with FreeFilesync that I’ve started using it on my Windows 7 PC as well. Briefcases were giving me an odd permissions issue when I tried to use them outside my user folder, but FreeFileSync has no such problems. It’s also a nice way to avoid the annoying “The briefcase is open on another computer” message that would often appear when I tried to use a program to open or save a file in a briefcase that was already open in Windows Explorer.

I have run into one problem so far: At one point, after I had some files deleted from a directory, FreeFileSync wanted to copy the files back across from the backup to the local copy, rather than deleting them from the backup. (The directory was a Git working directory, and the files disappeared because I switched to a branch that didn’t have them. I doubt that’s actually related to the problem, though.) This was trivial to work around, but it was a bit annoying. You’ll want to keep this in the back of your mind lest it catch you off-guard.

Overall, I’m very pleased with how FreeFileSync has worked for me. It isn’t perfect, but it does a good enough job that I recommend it over trying to keep using briefcases in Windows 8. Actual mileage will vary, of course, but if you’re relying on briefcases using the workaround I posted before, you should at least give FreeFileSync a look.

Restoring Windows Defender on Windows 8

I ran into a little difficulty getting Windows Defender up and running after the pre-installed Norton product on my work PC expired the other day. The work PC is running Windows 8, which comes with Windows Defender built-in, and I figured there was little reason to spend money on a Norton subscription when there was a perfectly serviceable antivirus app that came as part of the operating system.

(In case you’re wondering, the antivirus that comes with Windows 8 shares the name “Windows Defender” with an antispyware product that came with Windows Vista, but the Windows 8 version is basically a version of Microsoft Security Essentials. Microsoft should really find someone new to come up with their product names, because this is just confusing.)

Unfortunately, even after I uninstalled Norton, attempts to open Defender were met with an error message referring me to Action Center, which in turn told me to disable my third-party antivirus first. Hadn’t I already done that?

The confusion turned out to be my own fault, but before I get to that, here are the steps that solved the problem for me:

  1. Uninstall Norton through the usual Programs and Features Control Panel.
    • You should restart the computer when prompted and see if anything changes in Action Center before moving on to step 2.
  2. Download and run the Norton Removal Tool from the Norton Web site. Restart the computer when prompted.
  3. Open up Action Center, which should now give you the option to activate Windows Defender.

This wasn’t exactly a lengthy ordeal, but it was a bit of a nuisance. I might have spared myself some trouble had I been a bit more careful and followed some simple instructions.

First, I didn’t reboot when prompted by the uninstaller. I had other things open, so I decided to wait until later. So the next time I checked Action Center was after uninstalling Norton but before rebooting. I can’t say for sure, but I suspect I would been able to activate Defender without bothering with the Norton Removal Tool, had I rebooted immediately and then checked Action Center.

Unfortunately, my second mistake was to train myself to ignore the message that kept telling me to open Action Center. The message appeared every time I tried to access Windows Defender’s icon on the Start screen or in Control Panel, and I shrugged it off because I’d already checked Action Center at least once and there was no help for me there.

So I took to the Web to find an answer and came across the above-mentioned forum threads, downloaded and ran the Norton remover, and then restarted. Once it finally dawned on me that I still needed to check Action Center, the issue was resolved.

It’s tempting to make excuses about banner blindness and superfluous warnings, but the truth is I just made my life more difficult by not paying attention. Consider this my Lenten lesson in humility.

Pros and Cons of Windows 8

November 28, 2012 Comments off

Last month, I posted about Windows 8’s Metro interface…

Actually, let me stop myself right there. It seems they’re not using the name “Metro” anymore for trademark reasons. They’re going with “Modern UI” now. Apparently, this is old news. I’m a few months behind on my tech news in general, and I apologize. Read more at the Wikipedia article on the Metro design language.

As I was saying, I posted last month on the windows 8 Start Screen. I said then and still maintain that I like the new Start screen, but it definitely has its pros and cons. This time, I’m looking at the things I like and dislike about Windows 8 generally.

Before I continue I should repeat my caveat from last month: I’m still working with the Release Preview on a desktop PC. I haven’t upgraded to the full consumer version, even though it’s available now.

Good News

First of all, as I said last month, I’m a fan of the new Start screen. Admittedly, it’s far from perfect, but I do see it as an improvement. Read the post for more details; I won’t rehash it here.

Second, the Task Manager has received a significant overhaul for the first time since Windows XP. It’s largely a matter of the information that was there already being rearranged to be more readable, which is nice enough. This is especially noticeable on the Performance tab, which shows graphs of CPU, memory, disk, and network usage: Instead of a bunch of tiny graphs and readouts crammed into the same tab, there’s a list of thumbnail graphs that update in real time and serve as navigation buttons to switch between much larger and more readable displays. There are also new additions, like the App History tab that tracks Modern apps’ resource use, and the Startup tab that measures the impact of startup programs on the time it takes to start the computer.

Win8TaskManager_PerformanceWin8_TaskManager_Collapsed

I’m also a big fan of the changes to the file copy dialogs. Microsoft has added the ability to pause large file transfers. You can expand the dialog to view a graph of exactly how fast the file transfer occurred. Windows 8 gives you more fine-grained control over what happens when you copy a bunch of files to a destination that already has files with the same names, and lets you use checkboxes to apply the same actions to certain files, rather than clicking through a fresh dialog window for each file or choosing from a few across-the-board procedures. (You still have those broad brushes if you need them, though.)

Win8FileCopyWin8FileCopy_Paused

Rather than go on and on about these improvements, I’ll refer you to Scott Hanselman’s excellent post, “Windows 8 productivity: Who moved my cheese? Oh, there it is.” Hanselman goes into detail (that I won’t rehash) on the Task Manager and file copy dialogs, including plenty of screen shots, lists a huge number of useful keyboard shortcuts (many of which also work in previous Windows versions), and more.

One improvement Hanselman doesn’t mention, unless I missed it, is the return of the Up button in Windows Explorer. There’s no real need for this button, as Windows Explorer has given you one-click access to every folder in the path right from the address bar since Vista. Even so, and even after using Windows 7 on my primary computer for over a year and a half, I keep looking for the Up button. Apparently I’m not the only one.

An especially exciting bit of news is that Windows Defender has been upgraded to a full-blown antivirus program that comes “built into” Windows 8. Despite the somewhat confusing name, this isn’t just the anti-spyware app that came with Vista. It’s basically Microsoft Security Essentials. The difference is that, being “already included and ready to go” in the operating system, it presumably doesn’t come with Security Essentials’ licensing provision prohibiting commercial use except on up to 10 small business computers that weren’t also anyone’s personal computer. (Which is better than what most free antivirus apps require, but it still rules out my laptop.)

…At least, I think that’s how the licensing works. I haven’t been able to find a separate EULA for Defender anywhere on Microsoft’s site, and a page for the old Windows Defender has a EULA link that now redirects to the “Meet Windows 8” page. I can’t find anything in Defender’s help files, either. So unless one of my co-workers accepted a license agreement when turning Defender on, it looks like it’s just included in Windows. If it’s true, it’s great news! If not, I guess I’ll stick with Comodo.

Bad News

One irritating thing about Windows 8 is that its features tend to be unintuitive and hard to find. To borrow Hanselman’s reference, the fact is they did move the cheese, often to places that don’t make sense. Here are a few examples:

  • Like I said in my last post, while you can still search from the Start menu as easily as in Windows 7, the Start screen lacks the visible search box that 7’s Start menu had. How are users supposed to know they can type to search?
  • The Turn Off command is buried in the Settings menu, accessed from the Charms menu. Since when is turning off the computer a “setting”? It seems like Microsoft just didn’t want it cluttering the interface and looked for a place to stash it. It’s not the only example of this, either.
  • There are several keyboard shortcuts you can use to access the Turn Off menu. For that matter, Windows 8 is loaded with useful keyboard shortcuts. The problem is that most normal users don’t know about keyboard shortcuts, save maybe ctrl+alt+del. (Pundits constantly telling everyone Windows 8 isn’t optimized for a mouse and keyboard surely won’t help this).
  • Several places require you to hover or click a corner or, for a touch screen, swipe in from an edge like Android’s notification bar. The problem is that Windows 8 doesn’t provide a visible indication that there’s anything there to access this way.

The upshot of this is that a lot of non-tech-savvy people will be made to feel stupid even though it’s not their fault. I know I’m not the first to suggest this, but a tutorial would be really helpful here. I hope Microsoft thought to include one in the final release. (“Help” doesn’t count if it’s still hidden in the settings menu!)

Something that probably falls under that last example, but which I’m going to mention anyway, is the absence of the Start button. You still head for the lower-left corner to get to the Start screen, but instead of having an actual button there, you have to click on the very bottom-left pixel in the corner of the screen. This isn’t remotely as hard as it sounds, thanks to Fitts’ Law (though I haven’t tried it on multiple monitors), but that’s not the problem. The problem is that not only is there no visible cue to bring up the Start screen (until your mouse is already in the right spot), but the cue that was there since Windows 95 is now gone. I suspect that the missing Start button is part of the reason people think the Start menu is gone altogether and not just remodeled into the Start screen.

Another related issue is the way the Charms menus behave inconsistently. They always look the same, but they do different things depending on where you are.  The Search charm searches the computer when you’re on the desktop or the Start screen, but in a Modern app, it becomes an app-specific search function. The Settings menu lists settings for the current app or the Start screen itself unless you’re on the Desktop. Share… Well, Share doesn’t appear to do much of anything, but it uses different words to tell you it doesn’t do anything based on where you are.

I guess this isn’t inherently a bad thing. After all, the buttons on Android phones are pretty much the same concept. Maybe users will get used to it, then. However, it would make more sense for something that has a consistent location and appearance across contexts to have a consistent behavior across contexts as well. If Microsoft wants context-sensitive controls, why not make it clear what each control does in the current context? The Charms should have labels like “Search [app name]” and “[app name] Settings” instead of just “Search” and “Settings,” and Charms that do nothing should be disabled (i.e. grayed out).

Further complicating matters, some parts of the Charm menus are the same across contexts, like the default items populating the Search menu or the icons at the bottom of the Settings menu.

BingWeather_SettingsBingWeather_Search

(By the way, I’m not quite clear on the terminology, but I’m assuming that “Charms” can refer to either the icons in the Charms menu or the menus they open.)

A different kind of annoyance is the lack of a decent built-in e-mail program. The Mail app that came with the release preview apparently only works if you sign in with a Microsoft account. Full IMAP support was added for the actual release, but POP3 users are out of luck. The good news is that Windows Live Mail runs just fine on the Desktop. For that matter, PC World’s Brad Chacos suggested a workaround  using third-party, Web-based mail accounts (which the app can use) as intermediaries. But I wish Microsoft had included a single e-mail application that could be accessed from either the desktop or the Modern UI.

On that note, Internet Explorer doesn’t sync tabs when you switch from the Modern IE app to IE on the desktop. I’d like to mention whether or not the Favorites carry across, but thus far I haven’t even found the Favorites in the Modern app version.

Come to think of it, with the exception of “new experience enabled” Web browsers, it doesn’t even seem to be possible to write programs that can be accessed from both interfaces. (To be clear, you can pin Desktop apps to the Start screen as tiles. You just can’t use both interfaces for a single program that isn’t a Web browser.) I guess I understand the reasoning, but it seems like a missed opportunity.

Update 12/20/2012: Another irritation is that you can’t create briefcases anymore. A registry hack can restore this ability, but I’ve just been copying briefcases from earlier Windows versions as a workaround.

To be honest, I can live with most of the above. These things are annoying, and I can understand if some people see them as deal-breakers, but for me they aren’t.

There is one thing that might be, however, and it isn’t so much a feature/bug of Windows 8 itself as of Microsoft’s marketing strategy: You can’t just go buy a box with a full version of Windows 8 in it. You can buy an upgrade version, and you can get it pre-installed when you buy a computer, but you can’t just go buy a full version to put on a new computer. Instead, according to Microsoft, you must track down a sales rep at a “participating” computer store and purchase a System Builder license. (Apparently, “OEM” and “System Builder” are now being treated as synonyms, but I’m not 100% sure about that.) System builder licenses don’t come with customer support.

(Technically, there is one other option: Get the upgrade version, and find a secondhand copy of XP or 7 from eBay. Last time I checked, you could expect to pay around $40-50 for the secondhand OS. I don’t think that was part of Microsoft’s plan, though.)

I’ll mention in passing how ridiculous proprietary software licensing schemes seem to me, since I grew up in a time when you could just go buy software in a box and install it on your computer, and we now live in an era when thousands of freely-available open source programs stick mainly to a small number of licenses that serve as de facto standards. If I allowed myself, I could rant and rave about this for a long time, but I doubt anyone would care to read that.

Update 11/29/2012: It turns out that getting an OEM copy isn’t as hard as Microsoft’s Web site makes it sound. TigerDirect is selling OEM copies for around $120. (Thanks to my brother Andrew for letting me know about that.) That doesn’t address the lack of support, though, and I don’t yet know what provisions are in the EULA that wouldn’t be present in a full version (e.g. restrictions on moving the license to a different computer or transferring it to someone else).

Bottom Line

Windows 8 has a number of benefits and drawbacks that you’ll need to consider carefully before you decide whether to upgrade. I’m not going to recommend that you buy it. I’m not going to recommend that you wait it out like a lot of people did with Vista. What I recommend is the same thing I recommend with pretty much anything: Do the research, get some hands-on experience if you can, and see whether Windows 8 meets your needs. I’ve tried it, and I like it.